From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-qg0-x22d.google.com (mail-qg0-x22d.google.com [IPv6:2607:f8b0:400d:c04::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id D37B13C9F2 for ; Tue, 19 Jan 2016 04:29:06 -0500 (EST) Received: by mail-qg0-x22d.google.com with SMTP id e32so487443446qgf.3 for ; Tue, 19 Jan 2016 01:29:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=Tn0GTl9bK6iUAzJA/ZRD8xwkeC9eOQnbkmdGvuwLMhg=; b=slgDXTkjxjhRxRUaMXQaX+E5B5UuvRUhZooCtv0qfCcg452Mm/6oPJxzNotmOoGwdG 3GObjtI1tWJERd3whU2GxhXLLtLirdYsaN75hhZ02gTCG9RhGjOIqwbN05j7Z2tFI+yz 5t3Ghcj56wD5RSnXVmaS49haVIoEzdU5+ZVo0Bj9be2genyiXJx9uro8brpaYKoIixEu pbqulbXO5ZvgimZa87Z1DFJe10j2zx/CxCUKJmF3kUiyaGcpQyLmw2WnKYEc/aEwkAgj y9sAUOzjBCT0sNPijwUzNy305ISlu/M+wrqlyqiK2kYp8HmlKvjmbXWn3s9SlUxq75s7 esyg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=Tn0GTl9bK6iUAzJA/ZRD8xwkeC9eOQnbkmdGvuwLMhg=; b=UDO1plyqzbqQEMVM9yvjovIHWvbo5JAtppRF5JOkxBFcNCYPGGqSGx1zOPoEMbafaf 7JhkvecxWS6oTmhH4/DtgcbfBvo6TJSxLQehM2G+AeX6H2hgMzO3bA5GeNtR3pGZv6dn 4F+EbPPvhfxNkmTI0TTnsnoKDPvbWRE/vAvygP9DLx0UgzWu/aGRPbmmVTgLjaP+rvdJ VAT3Py0WixEjADt8F2urVAwWF+sE03DpyFCXCjV53OKCMtRWP5ZBqMpwx29WEjhWrlHT 0P8Q41T5aFEKbmIG3SZH5VTzndwhkSsvZ4lAYLWzRyGD3KuLyETPNEr/cGg7os6jneg/ bWmA== X-Gm-Message-State: ALoCoQmLR0kUyZANYDbQzZEckivzRY6ckOSso+BDTtaHGci7sBfSqyRdsOXNQ9svsns0KS9ptny+VbkkS7PC0y3R9r88cdLh0Q== MIME-Version: 1.0 X-Received: by 10.140.93.77 with SMTP id c71mr37747358qge.46.1453195745563; Tue, 19 Jan 2016 01:29:05 -0800 (PST) Received: by 10.140.16.178 with HTTP; Tue, 19 Jan 2016 01:29:05 -0800 (PST) In-Reply-To: <569D3078.7050605@taht.net> References: <569D3078.7050605@taht.net> Date: Tue, 19 Jan 2016 09:29:05 +0000 Message-ID: From: Alan Jenkins To: =?UTF-8?Q?Dave_T=C3=A4ht?= Cc: cerowrt-devel@lists.bufferbloat.net Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [Cerowrt-devel] router hardening X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jan 2016 09:29:06 -0000 On 18/01/2016, Dave T=C3=A4ht wrote: > One of my issues with blindly applying techniques to block certain IPs > is trusting the sources of the data - many people have ended up on a > blocklist that shouldn't have. > > That said, ipset is so effective and so scalable, that perhaps deploying > this by default > > http://www.linuxjournal.com/content/server-hardening?page=3D0,1 > > would be a good idea. > > Are there any more ipv6 specific blocklists out there? Note the RBN list it links to says it's obsolete for 2 years. (Other Emerging Threat lists are available, as transparent aggregation of a very small number of trusted sources. Still useful but rather less ambitious. Unfortunately the documentation still describes the obsolete lists. Maybe somewhere else is more active). It sounds like one needs a list to stay up to date on which blocklists to use :). Alan