Menu
▾
▴
Re: [SSHGuard-users] Blocked attackers can still access docker containers
|
From: Christopher E. <ce...@lc...> - 2019-11-01 12:24:28
|
On 01.11.19 03:40, gi1...@gm... wrote: > I hope it doesn't cause trouble with other things to switch that hook. The main difference is that you now block before deciding how to route traffic instead of after, so it's a very global block. Unless your machine does a lot of intricate forwarding all over the place, it shouldn't matter. > Do you know why sshguard doesn't hook prerouting by default? No. But input is where most simple firewall setups have ALL their rules for incoming traffic, so putting sshguards there as well makes it easier for the non-expert to understand what their firewall is doing. It is also the chain in which sshguard is least likely to interfere with more complex network setups. It also potentially reduces load by not running local filters on non-local traffic. Sshguard detects attacks on local services through local logs, so it makes sense to block access locally and not mess with traffic forwarded elsewhere. In the containerized world, where suddenly the host is an entire network with a shared harddrive and the host interface essentially does nothing but forwarding, it might be worth revisiting that decision. Christopher |
