Opened 5 years ago

Closed 10 months ago

#11824 closed task (fixed)

Integrate an IP blacklist filter into firewall on baron

Reported by: zooey Owned by: haiku-web
Priority: normal Milestone: Unscheduled
Component: Sys-Admin Version:
Keywords: Cc:
Blocked By: Blocking:
Has a Patch: no Platform: All

Description

Our services receive quite a lot of unwanted traffic, most notably SPAM-waves hitting our Trac and Drupal instances. Additionally, there are a number of misbehaving web crawlers which produce unnecessary load on our http servers.

Supplementary to fighting the problem for each service individually (by using spamfilters and/or apache redirect rules), it seems like a good idea to try and get rid of at least part of that traffic by applying an IP blacklist filter at baron's firewall. This should reduce the bad traffic reaching baron and all of the VMs running on it.

ipset-blacklist looks like a promising candidate for the job.

We need to investigate how that could be integrated with the SuSEfirwall configuration script, such that the IP blacklist filter persists across reboots.

Change History (2)

comment:1 by nielx, 13 months ago

Owner: changed from haiku-sysadmin to haiku-web
Status: newassigned

The haiku-sysadmin user no longer exists, changing to haiku-web.

comment:2 by kallisti5, 10 months ago

Resolution: fixed
Status: assignedclosed

Our infrastructure has changed quite a bit since this was opened. All web traffic funnels through traefik which has rate-limiting built in. We're in the process to tuning this rate limit.

We could also use a WAF someday, but those are generally not cheap.

Note: See TracTickets for help on using tickets.