Blocking constant attacks
-
FireHOL seem to have a gazillion lists. I tried firehol level 3 yesterday and that did not do the trick. I am on travel now and will take a look at the other lists when I return.
Regarding the blocking, you are right, everyone's needs are different. I do travel quite a bit including international so blocking complicates things for me. Being from Europe and living in the US I also use international sites quite a bit. I could probably tighten down unsolicited inbound traffic and may think about it. Usually snort takes good care of blocking bad traffic, so I am not generally concerned. This case just stuck out.
-
@revengineer said in Blocking constant attacks:
US I also use international sites quite a bit.
Not blocking outbound... You never know were a site might be hosted.
If I was going to travel to X, then I would open up my vpn from X... But I see little reason for some IP in xyz country to be talking to my plex or my vpn server.. There is zero point to it..
But I don't block outbound other than ads via pihole.. and ublock in my browser..You never know where some site I want to go to is hosted..
-
One way or the other, the FW has to make a call whether it's blocked by country or just blocked, so what's the point of country block? The FW still burns cycles. Curious. I just use pfB to block outbound.
-
Inbound blocking only makes sense when you have port forwards in place or access to services on the firewall open like OpenVPN in this case. Then you can restrict by source IP using pfBlocker rather than just open it to everywhere.
Steve
-
@stephenw10 I see. I guess that may give support to using some rando upper port for VPN rather than something common like 443?
-
Yeah, you will always get way more hits on 443 than anything else. Port 1194 also gets probed as it's the default OpenVPN port. 11194 not so much. But really that only cleans your logs, security through obscurity is not real security.
-
@stephenw10 Yeah, the only real security is an air gap... But with 128K+ ports to choose from, I can be pretty obscure!
-
I really need to use 443 to be able to get to the vpn from work... I would normally just lock it down to my work IPs for this use.. But you do run into issues where only thing out is 443 tcp, etc. So in that case I can still access my vpn.. So I do the best I can and restrict it to US.. But my vpn and ha proxy doesn't need to spin cycles dealing with nonsense - much easier to just not let them any farther up the stack then the firewall.
-
@johnpoz said in Blocking constant attacks:
I would normally just lock it down to my work IPs for this use.
That's what I did. And I managed the FW. Nowadays (retired) I just enable VPN when I'm out of town (or Lazyboy).
-
@stephenw10 @provels I travel a lot and find that half the hotels block ports other than those used for web browsing, i.e., 80 and 443. While I have a UDP instance of OpenVPN running on port 1194, I frequently need to revert to the secondary instance on port 443 using TCP. So for usability, there is really no way around this.
-
@revengineer said in Blocking constant attacks:
hotels block ports other than those used for web browsing
Yup unless you pay for their "premium" wifi ;) quite common for them to do that - which is why running on 443 to get around those restrictions. But it can also see a lot of traffic that is not your vpn.
-
@revengineer @johnpoz Good to know, thanks.
