This is a Local Service for Local People...

In a previous post about blacklisting IP ranges used by China I stated why I feel it’s a valid approach. I think I should clarify my own actions when it comes to things like this.

Any servers that are owned and admined by me alone (Bytemark Virtual machines, friends servers etc) have a number of deny rules in place to drop connections to a number of important ports (SSH, SSL etc) to reduce the attack vectors provided by the servers. These rules block connections from any IP addresses no in the UK, Brussels and a couple of other countries, if I’m going to a tech conference I’ll open the range slightly to allow remote access but I’ll turn on stupid amounts of login for the duration of the trip.

For work machines the rules have to be a little different, most companies fit into one of two categories, those that have geographically dispersed teams and those that don’t. It’s worth noting that for the purpose of this post I’m only discussing admin and other important services, SSH, SSL to certain servers etc, not web and email traffic. For those I do layer 7 filtering.

The only real difference between the two is how many allow rules you have to add. It should not be possible for Joe Random Stranger in the land of the script kiddies to even probe those services unless they are located in the same country as your admins. By adding simple, logical rules like these you reduce your exposure dramatically and increase your networks security at pretty much no loss of functionality.