Ben, your correct ... it would be silly to block China on a commercial server doing business with China. Those machines probably require a secure architecture most of us light-weight users cant support.It may make sense for small, limited users machines, but what about servers that are intentionally advertising ssh for it's users globally, so can't use port knocking, can't block all of korea (as some users definatly connect from there) and so on...
Once again, censorship is silly but it works. There is something ironic about censoring a country that censors their Internet.Seems to me blocking large chunks of the net because they're a pain is a short term solution that's going to cause long term pain for the internet at large if it's allowed to become standard practice...
Shouldn't this list focus on the general, base level security rather than specific work-arounds for these type of issues that don't apply to a lot of boxen? 2c out. Ben Dave Strydom wrote: > I think there is an easier way of doing this... > > Why not use the GEOIP IPTABLES patch and then just use this in your > firewall: > > ----------------------------------------------------------------------------------------- > $IPTABLES -A INPUT -p tcp -m geoip --src-cc CN -j DROP > $IPTABLES -A INPUT -p tcp -m geoip --src-cc KR -j DROP > $IPTABLES -A INPUT -p tcp -m geoip --src-cc TW -j DROP > $IPTABLES -A INPUT -p tcp -m geoip --src-cc HK -j DROP > ----------------------------------------------------------------------------------------- > > This way you have 4 simple rules which do the work of that entire script. > > > On 10/10/05, *Taka John Brunkhorst* <[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>> wrote: > > nice but why do we need to block them? > ssh worms? or just lamers? > > -- > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > Taka John Brunkhorst > >
signature.asc
Description: This is a digitally signed message part
