New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Internet networking
Hello All.
Today's questions are all about networking. What should I know about networking in order to be a better server admin?
What are important ports I need to no about other than 80 for http and 443 for https?
Best way to block ip's which are creating alot of trouble for you and how do you recognize that you are being attacked?
Comments
Not all web traffic is tcp. QUIC exists.
Tagged: pop
It might be worth checking systems what ports are in use for what - just as an exercise. Also a good idea to do regularly to see if it all seems sane and something hasn't crept in there that shouldn't be.
Small hint on tcpdump: Maybe start with iftop first and be prepared to use filters.
I run sockstat here.
look at /etc/services
Interesting, never heard of that before. Going to try it and see if i like it better than my netstat -antpu alias.
FreeBSD
Yeah i read the manpage. Guess i was to clueless in my FreeBSD days (<=3.9?) to notice it. Seems it's available for linux too by now.
Fail2ban is your friend use it. Depending on your Linux distribution you want to use iptables or firewalld to lock everything down but the ports you need. Change ssh default port. It's not going to stop anything but it's a good practice. Use a geoip list to block all countries you don't want traffic from. That's a good start.
Blocking by country is a bad idea in my opinion. In most cases it will not do anything useful and if the idea is to have people reach your site the concept is just wrong.
If you want to block out people start dropping chinanet netblocks, this will stop 90% of all bad traffic to your Server
I prefer sshguard but i guess it's a matter of taste.
This should be obvious but that doesn't make it less true.
Agreed. Doesn't really add any security but keeping the logs clean from the millions of login attempts by braindead bots trying root with password test123 is well worth it.
Wouldn't do that but i am curious about how many ranges does for example china have and how do you keep them updated? I can't help but imagine a giant ipset with questionable performance and a lot of time spent on keeping it current.
Don't think so. Sure chinanet isn't exactly abuse free but i have shit coming from so many other sources i don't see how blocking them would amount to a 90% decrease of bad traffic. If i had to guess i'd rather put them in the low to middle single digit percent range.
Hm maybe I can delist them then. A while ago they were surely number 1 of all evil
Well, they are huge and quite ignorant to pretty much anything i'll give you that. I'm curious in what regard they stuck out that much though. Web related or ssh brute force maybe?
China is one of the worst offenders, alongside Russia & Vietnam. Been getting a bunch from Argentina as well as of late.
Ah, i see. I've been moving sshd away from port 22 for like forever which drops brute force attempts to literaly zero. Guess that's why they don't show up on my radar that much.
SSH Scans and similar things, nothing scary but annoying
Fail2ban is more versatile. It can scan any logs not just ssh and respond accordingly.
https://dev.maxmind.com/geoip/geoip2/geolite2/
Set a cron job to update the locally cached database monthly (when they get updated. Believe it's first Tuesday of each month. So don't day 10 of each month should keep it upb to date)
If you don't need traffic from there then dont use it. You can do a whitelist. Block everything except the states for example.
You've obviously never used SSHguard. It can do everything fail2ban does, and you don't have to have Python installed on the system. That footprint makes quite a difference when you're on a small VPS.
Good looking out. I was just going based on the name. I'll have to check it out. Been using fail2ban for so long haven't considered alternatives.
Many people do, and that's why I decided to correct you on this misnomer. When you're used to fail2ban, it's a little change, but not so much as to be difficult. It's quite useful, especially with those small VPS I mentioned prior.
Most people use it for ssh/mail/web blocking. There are some other exotic uses discussed on it's main page somewhere, but that's all I've needed it for.
Sure but how do you get it into iptables?
I don't plan on blocking by country this site is to demonstrate projects I make, blog, and sell not cheap services if they can speak at least understandible english.
So you can't do much about someone attacking your site until they get bored or something?
Thanks for recommendations.
Although some people think it is (out of sight out of mind), a lot of blocking is not really about security, but rather just about making the log files smaller.
For one, blocking is always less resource intensive. Given the amount of automated attacks, this improves system performance, if nothing else.
And it is about security: blocking unused ports denies hackers access to parts of the system that might be open to an exploit.
It's like privacy: you may not have anything to hide, but that does not mean that you should leave yourself open to scrutiny, if you can help it. Denial of information, what's inside, is always a very prudent and inexpensive security measure.
Doesn't mean you shouldn't have other surprises handy behind the wall
I've never had a compromised server, so perhaps I'm more ignorant of how these hacks work. There's not that much to be gained by compromising a low end system anyway so I don't expect anything really sophisticated. The situations (eg government departments and banks) where it does matter seem to be compromised by something more elaborate than a bot, such as social engineering.
Edit to add, that I didn't mean to refer to blocking ports as you suggested. I was referrering specifically to blocking country level IP ranges.
On this, I totally agree! I don't see any good in blocking country ranges if you're already blocking unused ports and have changed ssh port. I mean, that's already blocking unwanted traffic from all countries' IP ranges in a nice clean sweep
Country level blocking makes sense only very selectively when you need to deny access to open services (like http) for some reason.
first: repent
second: subscribe to elithecomputerguy, get some lotion, and enjoy his yt videos
third: watch linustechtips, and eat some tide pods
this is how millennials learn nowadays, it's a new modernization technique that's amazing. try it. although, you can just use the contact form for ipxcore and ask them your questions, they do help a lot. same for udemy, jarland, anthony and others.
honestly, if i were you, just post your questions on the forums. if you run into any problems
hope that helps!
I know you can but I've only used it for http/s geo ip blocking. You can do that with both apache htaccess and ngix config files. Just redirects the non allowed county user to the url of your choice. 301 redirect basically.