#11824 closed task (fixed)
Integrate an IP blacklist filter into firewall on baron
| Reported by: | zooey | Owned by: | haiku-web |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | Sys-Admin | Version: | |
| Keywords: | Cc: | ||
| Blocked By: | Blocking: | ||
| Platform: | All |
Description
Our services receive quite a lot of unwanted traffic, most notably SPAM-waves hitting our Trac and Drupal instances. Additionally, there are a number of misbehaving web crawlers which produce unnecessary load on our http servers.
Supplementary to fighting the problem for each service individually (by using spamfilters and/or apache redirect rules), it seems like a good idea to try and get rid of at least part of that traffic by applying an IP blacklist filter at baron's firewall. This should reduce the bad traffic reaching baron and all of the VMs running on it.
ipset-blacklist looks like a promising candidate for the job.
We need to investigate how that could be integrated with the SuSEfirwall configuration script, such that the IP blacklist filter persists across reboots.
Change History (3)
comment:1 by , 6 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 6 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Our infrastructure has changed quite a bit since this was opened. All web traffic funnels through traefik which has rate-limiting built in. We're in the process to tuning this rate limit.
We could also use a WAF someday, but those are generally not cheap.
The haiku-sysadmin user no longer exists, changing to haiku-web.