Re: auth log full with
On Sun, 14 Aug 2022 16:07:03 +0200
Matthias Böttcher <matthias.boettcher@gmail.com> wrote:
> Am So., 14. Aug. 2022 um 09:51 Uhr schrieb Reco
> <recoverym4n@enotuniq.net>:
>
> > Personally I don't use fail2ban for sshd. Because why bother with
> > userspace (written in python too, yuck) if the kernel does the same
> > job? I.e. block M$ AS, China Telecom AS and maybe add Eastern
> > Europe to the mix, and you've just reduced the number of offending
> > logins by two orders of magnitude.
>
> Hi Reco,
>
> how do I block these ip ranges?
> Which source can I use to determine the geo location of ip addresses?
https://geotargetly.com/ip-geolocation-databases
> Is there a Debian packet?
>
Synaptic turns up 'location'. I've never used it, so I know nothing
about it.
Banning countries by IP address was a non-starter ten years ago. You
wouldn't believe how fragmented the address space has become, as CIDR
blocks originally allocated to one country are found to be under-used
and parts get allocated to other countries.
If your only concern is cleaner logs, then run your ssh server on a
different port. I've done that for over twenty years and have no
problems with clogged logs or bots trying brute-force password attacks.
I'm on keys, anyway. Most Internet routers can let in packets bound for
any port, and rewrite them as going to port 22 on the ssh server.
Alternatively, sshd can use any port.
Disclaimer: I'm well aware that this strategy *provides* *no*
*additional* *security*, but it seems to discourage break-in attempts.
I don't expect it to keep the CIA out. This disclaimer was added for
the benefit of... well, you know who you are.
--
Joe
Reply to: