The word will never be without monkeys scratching our doors, but some are delayed, even deterred by altering the default iptables policy for REJECT to DROP.
IMNSHO, there’s a huge difference between REJECT – returning an error message & DROP – whereas my server just drops packets, without waisting time or resources.
The default policy of Fail2ban is REJECT, providing offending monkeys the benefit of seeing the error and catch it early. DROP will silently act like a black hole, forcing the monkey’s script to die or time out, slowing down the process along the way.
For my servers, a DROP policy will aloso potentially free up resources and limit network traffic.
I’ll rarely enforce a DROP policy on LAN hosts, hence they are not exposed on the internet and immidiate feedback are more frendly for internal users and problem solvers.
The magic happens in /etc/fail2ban/jail.local where the [DEFAULT] section cover the basics:
# /etc/feil2ban/jail.local
..
[DEFAULT]
..
# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to
# define action_* variables.
# Can be overridden globally or per
# section within jail.local file
#banaction = iptables-multiport
banaction = iptables-multiport[blocktype=DROP]
banaction_allports = iptables-allportsIf testing reveals that the policy doesnt change, (iptables -L), you have to take a look at different jails further down in jail.local. Policy can be overwritten for spesiffic jails.
Legg igjen en kommentar