diff options
author | Jesusaves <cpntb1@ymail.com> | 2020-12-27 17:31:40 -0300 |
---|---|---|
committer | Jesusaves <cpntb1@ymail.com> | 2020-12-27 17:31:40 -0300 |
commit | ddbf494719658dbb421401f2bdc2429db0df5a2d (patch) | |
tree | 4cb7f80ddad6d8b166f4ebfb221cfd3d02809651 /README.md | |
parent | f0a170e4a61e34ff13475c4ebb4638204db9a993 (diff) | |
download | server-ddbf494719658dbb421401f2bdc2429db0df5a2d.tar.gz server-ddbf494719658dbb421401f2bdc2429db0df5a2d.tar.bz2 server-ddbf494719658dbb421401f2bdc2429db0df5a2d.tar.xz server-ddbf494719658dbb421401f2bdc2429db0df5a2d.zip |
Disclose about automatic bans, and make score rule read from consts.py
Move the TODO about dropping already established connections from server.py
to security.py
Diffstat (limited to 'README.md')
-rw-r--r-- | README.md | 21 |
1 files changed, 21 insertions, 0 deletions
@@ -56,6 +56,8 @@ Fail2Ban will block harmful clients which could otherwise DoS your server. See also their official website: https://www.fail2ban.org +Major auth failures will be sent to syslog. + The server will read (one IP per line) the files called Z-Line, G-Line and K-Line in this order during startup, and won't read them again at runtime. They will issue "bans", which causes connection to be dropped right after being @@ -74,12 +76,31 @@ Keep in mind that `kline` console command will write to K-Line.txt so autogenerating data for it is not advised. All bans expire when server restarts, except if they have been kline'd (or are otherwise listed on a -Line file.) +Do note it do not support zones (eg. /24) nor does it support wildcards. Invalid +lines will be stored to memory but will never trigger the ruleset. Thus the advise +for an external properly configured firewall, the built-in measures are minimal, +and just to act as a _last_ defense line against intruders - not an _only_. + Other suggestions (never tested): * [Blocklist DE](blocklist.de) - IP-Addresses who attack other servers/honeypots over SSH, FTP, IMAP, etc. * [SORBS NET](sorbs.net) - Open SOCKS proxy servers, etc * [Spamhaus ORG](spamhaus.org) - Spamhaus blacklist (spammers, open proxies) * [Proxy-List DOWNLOAD](www.proxy-list.download/) - List of SOCKS and HTTP proxies +## Automatic bans + +The server has a "score" function in security. Sending invalid packets will cause +your score to raise, and once it reaches a certain threshold, the connection will +be killed and the user IP will be banned for a short while (BAN_TIME in consts.py) + +Different errors might influence the score differently depending on the severity. +The threshold fluctuates depending if the user is logged in or not - for instance, +sending a packet while logged out will most likely trigger the ban rules. + +For this reason, server admins are advised to tweak the values to their liking. +The values are in consts.py and not in configure. Changing the score for each +invalid operation must be done at the python file of the operations specifically. + # The client The client should work out-of-the-box, but a few concerns are to be made. |