[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Abuse Desks

That you have some ACLs that whack low-hanging fruit doesn't negate the fact that you can't block the untrusted Internet accessing an intentionally publicly accessible port. 

It's all just a distraction from the fact that *SOME* services *MUST* remain available to the general public and those services are subject to abuse. 

As long as there are things that must be available to the general public (likely forever), there needs to be an abuse reporting process that works. 

Mike Hammett 
Intelligent Computing Solutions 


----- Original Message -----

From: "Stephen Satchell" <list at satchell.net> 
To: nanog at nanog.org 
Sent: Wednesday, April 29, 2020 12:35:20 PM 
Subject: Re: Abuse Desks 

On 4/29/20 9:57 AM, Mike Hammett wrote: 
> My routers have ACLs, but my servers for the most part do not. 

I'm not trying to argue, but...what servers do you have that don't have 
sysadmin-definable firewalls and tun-able knobs? My edge routers are 
Linux boxes (CentOS 8 for the one I'm now building). Moreover, I can 
have NetworkManager fire off a script that modifies the firewall 
settings as interfaces go up and down. 

> It's kind of counter productive to put ACLs on SMTP, POP3, IMAP, and 
> HTTP\S ports, now isn't it? SIP, FTP, and SSH may or may not make 
> sense, depending on the type and volume of users. 
I was taught by my networking betters that you need to block certain 
types of public inbound packets, always, that match any of: 

1. WAN packets with local/LAN source address 
2. WAN packets with local/LAN broadcast/net src-dst address 
3. WAN packets with known broadcast/net src-dst address 
4. WAN packets with local/LAN small services 
5. WAN packets with local/LAN unimplemented services 
6. WAN packets with blackholed source address 

On EVERY device with a public IP address. WITHOUT FAIL. 

I have these blocks on every single public-facing mail server I build. 
I have these blocks on every single public-facing Web server I build. 
Indeed, I can't fathom why I would *not* have these in place for every 
single public-facing device. I don't necessarily log every occurance, 
but I do drop matching packets on the floor, unceremoniously. 

This is the foundation upon which I build custom additions, such as 
allowing 22/tcp only from specific IP addresses. 

I don't depend on the edge router to catch all the cases, because each 
server has specific services it provides. So, for example, my DNS 
servers not only implement all six basics, but also incorporates request 
rate limiting, to avoid participating in DDOS events. Ditto NTP 
servers. 80/tcp and 443/tcp? Dropped on the floor. 

Sorry to preach, but I'm in the process of building a NFTABLE-based 
firewall and this happens to be part of the specs for it. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200429/b14a0c0e/attachment.html>