I have a non-public web server that's getting Let's Encrypt certificates. I
wrote
a PHP program to lookup the Let's Encrypt addresses and add them to a
ipset. My firewall (I'm using Shorewall) does an ACCEPT for port 80 on
anything in the ipset.
I'm attaching the email from the Shorewall users list. It contains the
announcement
an link to the program.
I run the program from cron so if the addresses change, the ipset gets
updated and is current:
10 0 * * * /usr/local/sbin/DNSlookup_ipset.php -4 -c letsencrypt.dnslookup -s
letsencrypt -t dns 2>&1
/etc/shorewall/letsencrypt.dnslookup:
outbound1.letsencrypt.org
outbound2.letsencrypt.org
Bill
On 6/3/2019 6:35 PM, Kenneth Porter wrote:
--On Monday, June 03, 2019 4:23 PM -0400 Terry Carmen <te...@cnysupport.com>
wrote:
I run ssh through a VPN tunnel, so the attempts never show up
I had been banning them, however it ended up turning into a problem
because my drop rules list was getting huge and causing a performance
problem.
How many probes do you see against your VPN?
I'm using ipsets for my ban lists to deal with large lists. I've got a big list adapted from the lists at ipdeny.com to drop
all packets to my authenticated services from non-US addresses. I'm also blocking access from DigitalOcean and other cloud
services. *Alas, I have to allow everything to my web server because Letsencrypt doesn't make any guarantees about the source
of its identity checks to validate my domain*. (Or I could script temporarily dropping the block to my web server when I'm
updating my certificate.)
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
--- Begin Message ---
Bill Shirley has contributed a PHP program that will populate an IPSET
from DNS. The program is available at:
http://www.shorewall.org/pub/shorewall/contrib/DNSLookup/
ftp://ftp.shorewall.org/pub/shorewall/contrib/DNSLookup/
The program arguments are documented in the program source.
It is suggested that the program be run periodically via cron. The
program accepts an argument that sets the timeout value for entries in
the ipset. In most applications, setting the timeout to be considerably
longer than the DNS entries' TTL is recommended. That way, sites that
specify a short TTL and advertise a large number of addresses with short
TTLs in round-robin fashon will still fully populate the ipset over time.
Thanks to Bill for this contribution!
-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
shorewall-us...@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
--- End Message ---
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
