Hey all, i’ve decided I should probably setup something else to help block nefarious IP addresses. I’ve been looking into CrowdSec and Fail2Ban but i’m not really sure the best one to use.

My setup is OpnSense -> Nginx Proxy Manager -> Servers. I think I need to setup CrowdSec/Fail2Ban on the Nginx Proxy Manager to filter the access logs, then ideally it would setup the blocks on OpnSense - but i’m not sure that can be done?

Any experience in a setup like this? I’ve found a few guides but some of them seem fairly outdated.

Edit: thanks everybody for the great info. General consensus seems to be with crowdsec so I’ll go down that path and see how it goes.

  • mbirth@lemmy.ml
    link
    fedilink
    English
    arrow-up
    9
    ·
    20 hours ago

    I’ve recently enabled banning whole subnets if more than 3 malicious actors from that subnet are on the blocklist. This is great for all those DigitalOcean droplets and other cheap hosters used by those people…

    • SirMaple__@lemmy.ca
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      19 hours ago

      I’ve been thinking about going this route. What size subnet are you banning? /24?

      Only thing stopping me is I selfhost email and don’t want to ban say a whole subnet from Microsoft/Azure and end up blocking the outgoing servers for O365. I’m sure I can dig around and look at the prefixes to see which are used for which of their services just haven’t had the time yet.

      • mbirth@lemmy.ml
        link
        fedilink
        English
        arrow-up
        4
        ·
        17 hours ago

        I let CrowdSec determine that. I’m seeing /13, /12 and even /10 in my decisions list. All seem to be Amazon AWS ranges.

        • sudneo@lemm.ee
          link
          fedilink
          English
          arrow-up
          2
          ·
          12 hours ago

          Wow, those are big networks. Obviously I suppose in case of AWS it doesn’t matter as no human visitor (except maybe some VPN connection?) will visit from there.

          As someone who bans /32 IPs only, is the main advantage resource consumption?