On Sun, 14 Aug 2022 16:07:03 +0200 Matthias Böttcher <matthias.boettc...@gmail.com> wrote:
> Am So., 14. Aug. 2022 um 09:51 Uhr schrieb Reco > <recovery...@enotuniq.net>: > > > Personally I don't use fail2ban for sshd. Because why bother with > > userspace (written in python too, yuck) if the kernel does the same > > job? I.e. block M$ AS, China Telecom AS and maybe add Eastern > > Europe to the mix, and you've just reduced the number of offending > > logins by two orders of magnitude. > > Hi Reco, > > how do I block these ip ranges? > Which source can I use to determine the geo location of ip addresses? https://geotargetly.com/ip-geolocation-databases > Is there a Debian packet? > Synaptic turns up 'location'. I've never used it, so I know nothing about it. Banning countries by IP address was a non-starter ten years ago. You wouldn't believe how fragmented the address space has become, as CIDR blocks originally allocated to one country are found to be under-used and parts get allocated to other countries. If your only concern is cleaner logs, then run your ssh server on a different port. I've done that for over twenty years and have no problems with clogged logs or bots trying brute-force password attacks. I'm on keys, anyway. Most Internet routers can let in packets bound for any port, and rewrite them as going to port 22 on the ssh server. Alternatively, sshd can use any port. Disclaimer: I'm well aware that this strategy *provides* *no* *additional* *security*, but it seems to discourage break-in attempts. I don't expect it to keep the CIA out. This disclaimer was added for the benefit of... well, you know who you are. -- Joe
