361
20.7 Legacy Series / Re: Would anyone want to help me with assessing my ip blocklist?
« on: October 05, 2020, 10:11:44 pm »I see your point, but that is something IDS/IPS is for (in fact it works exactly like AV and blocks not only known malicious IPs, but also IPs which are trying to exploit certain well and less well known vulnreabilities, something that IP blocking does not do.)
If you insist on having IP block list and are hosting your servers on LINUX, you can install Fail2ban which does exactly that, blocks IPs which try too many times to login, you just have to configure it right, in fact I think there is a way to install Fail2Ban on OpnSense itself.
Indeed this is also true however I found that with only IDS (Suricata) and Fail2ban which I was already using too little was being caught and quite a bit was slipping through. I tried many things to improve it but ultimately what I was finding is that the bots/automated attacks used seperate IP's to scan your network, then used this information to target what they found with different IP's based on what their results found. This meant that the setup with fail2ban and IDS was only 80% or so effective, in some cases less. As I want 99% effectiveness this was not acceptable to me and this method of blocklist as an additional layer is the only thing I have so far that is getting me close to the 99% I desire. The other 1% I am able to review the logs manually each day (as there are not thousands of IP's passing in the logs anymore - ie they are not flooded with attacks) and assess easily in a matter of minutes. Keeping the logs mostly clear in this way makes this task quite manageable.