Comment on Any recommendations of countries to block from server logins?
jozza@lemmy.world 1 year ago
The advice I’ve read (and implemented myself) is to not so much run a block list, but an allow list. So first things first, have a rule to block all connections, then have overriding rules to allow connections using criteria you would deem safe. If you know someone needs to access the server from the UK, include the UK on the allow list. Everything else can remain locked down until you have a reason to open it up to another country.
Shdwdrgn@mander.xyz 1 year ago
That’s pretty much the way a firewall works, but I’m not sure it’s quite so practical for email. When you get into something like cell phone access, the IPs can be all over the place. I’ve certainly seen enough attempts from addresses of my own cell provider. I’ve even seen fail2ban block IPs from my local city ISP, so it’s really difficult just blacklist everything and not expect there to be nearly immediate problems for those of us who have legitimate access. This is one of the reasons I run multiple tools, between the standard blocklists to weed out spammers and public VPNs, to things like fail2ban providing more realtime protection. I look at the country blocklist as just another tool in the arsenal to try and find a balance between protecting my services but still allowing easy access where it is needed.
astraeus@programming.dev 1 year ago
They said country-based, not location-based. Your cellphone provider will probably only be using a handful of countries at most to relay traffic.