[CentOS] [OT] odd network question

Tue Aug 6 07:39:28 UTC 2019
Giles Coochey <giles at coochey.net>

On 06/08/2019 00:12, Jon LaBadie wrote:
> On Mon, Aug 05, 2019 at 09:31:56AM +0100, Giles Coochey wrote:
>> On 05/08/2019 09:18, Pete Biggs wrote:
>>>> I've found the default 10min bans hardly bother some attackers.
>>>> So I've added the "recidive" feature of fail2ban.  After the
>>>> second 10min ban, the attacker is blocked for 1 week.
>>> Oh definitely. My systems are set to "3 bans and you're out" - a
>>> recidive ban is permanent after three other bans.  I have large parts
>>> of some subnets in my ban list as attackers just move from one host to
>>> another as they get banned.
>>> P.
>> I worked for a company some time back that had an association with a South
>> African company who wanted to host some infrastructure in our data centre,
>> the network admin there wanted a specific configuration for outbound source
>> NAT from a certain host that would scroll through a list of source NAT IP
>> addresses (think a whole /24) for every connection attempt, pretty sure it
>> was for sending unsolicited emails, in any case the association with that
>> company didn't last and I took redundancy after less than a year there.
> Now that would be a single firewall rule and a kernel ipset.
Well, yes - I had a conversation with the guy, and he always had an 
answer, "oh if that happens I can do this", he said that with real pride 
- a real slippery lizard in my opinion and at the back of my head was, 
"maybe the people you're sending emails to just don't want to receive 
them! And that's why you're jumping through these countless hoops, if 
you actually had proper opt-in, with a working opt-out per default you 
might not need this awful hack", there are companies out there 
specifically selling IP addresses with good reputations to companies who 
ruin that IP range's reputation, once they reputation has been ruined I 
guess they get discarded, sold on to another company who only then finds 
out that they can't run a mail server on that range because its been 
added to every blocklist on the planet.