That's right, we just want to restrict admin access to a few of our egress addresses which get exposed to the internet from inside the company or VPN.
I'm not convinced that IP spoofing is "dead simple" and most people would not know which address(es) they needed to spoof anyway. This would prevent a casual attacker from attempting. I will take a look at Rack::Attack Thanks, Steve On Tuesday, 6 December 2016 13:01:39 UTC, Jason FB wrote: > > I'm sorry you are right... I had meant Rack::Attack not Rack::Timeout, I > confused the two in my head. You are right I was referring to Rack::Attack > > If a known administrator has a fixed IP address, I disagree that "IP based > security generally adds no real world actual security" > > Perhaps you are saying this in the context of *IP blocking*, which I > agree offers little help in a world where it is easy for someone to switch > IPs after they are blacklisted. > > However, the original question was to whitelist (not blacklist) an *known > IP* address for a *known user*. This seems like a highly appropriate > security whitelisting strategy and is widely used across the internet. > > (Blacklisting bad actors, on the other hand, is indeed a cat & mouse game > that probably won't work out too well.) > > > > > On Dec 6, 2016, at 7:28 AM, Neil Middleton <ne...@neilmiddleton.com > <javascript:>> wrote: > > Sorry - but this is incorrect. > > Rack-timeout only ensures that requests that are hitting a predefined > service time are killed off rather than being allowed to run on consuming > resources. At the very minimum Rack Timeout should be installed with a > setting of 30s, the same time that the Heroku router will kill a request > with an H12 error. > > If you're wanting any sort of DDoS protection and so on, then Rack::Attack > is the one to go for. > > However, like I said earlier - IP based security generally adds no real > world actual security. > > > ---- > > Jason Fleetwood-Boldt > te...@datatravels.com <javascript:> > http://www.jasonfleetwoodboldt.com/writing > > If you'd like to reply by encrypted email you can find my public key on > jasonfleetwoodboldt.com (more about setting GPG: https://gpgtools.org) > > -- -- You received this message because you are subscribed to the Google Groups "Heroku" group. To unsubscribe from this group, send email to heroku+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/heroku?hl=en_US?hl=en --- You received this message because you are subscribed to the Google Groups "Heroku Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to heroku+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.