[arm-allstar] Selective IP Blocking

Jason cturning1 at gmail.com
Sat Feb 17 11:02:25 EST 2024


I run Fail2Ban
<https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-20-04>
on a Pi 4 with SSH port open to the internet, and it's only resource
intensive on reboot as it goes through log files and gets setup. Watching
BTOP <https://github.com/aristocratos/btop> it's barely pulling resources
afterward. I also run it on a couple cloud servers without noticing much
use other than reboots for new kernels. The nice thing about Fail2Ban is
that it supports not just SSH but other services, and you can add custom
services as well. And it only puts IPs in jails for a limited time, so your
iptables doesn't get too unwieldy.

Another easy option is to use Wireguard VPN <https://www.wireguard.com/>
(or OpenVPN), then connect in to the local network and you can SSH or
access other services on the local network without exposing them to the
outside. Wireguard is built into the kernel and very efficient as my backup
Wireguard server is just a Pi Zero 2W Pi-Hole <https://pi-hole.net/>
server. Consequently, PiVPN <https://www.pivpn.io/> makes setting this up
easy on a debian based distro, and many routers support VPNs as long as it
gets security updates regularly like Mikrotik
<https://jasonsblog.ddns.net/index.php/2023/07/28/why-not-mikrotik/>,
Ubiquiti.... otherwise I'd run the software on a Pi or machine that does
get regular updates.

You can also use SSH keys and disable password logins
<https://raspibolt.org/guide/raspberry-pi/security.html>, so no one is
getting in without the key (but make sure working properly before disabling
password logins or you can get locked out, and you need to upload keys from
all the machines you might want to use).

Another tip for easily dealing with iptables or nftables, use the
Uncomplicated FireWall, UFW
<https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-20-04>
which acts as a friendly front end. Here you can easily open ports or block
specific IPs.

73
Jason - WY7JT

On Fri, Feb 16, 2024 at 11:08 PM David McGough via ARM-allstar <
arm-allstar at hamvoip.org> wrote:

>
> I recommend NOT using fail2ban for an embedded device.  While this package
> works well on bigger servers, it can be very resource intensive!!
>
> ...And, I know this because I use fail2ban extensively on big systems.
>
> 73, David K4FXC
>
>


More information about the ARM-allstar mailing list