This content originally appeared on remy sharp's b:log and was authored by remy sharp's b:log
This is probably a hacky way to go about things, but if I don't write it down, I know I'll have forgotten it by the time maintenance comes around in 2033…
TL;DR: use ufw but ensure you can access ssh.
ufw - Uncomplicated Firewall
Although when I'm maintaining a machine directly I'm likely doing it through AWS, and AWS does also have IP level security, it (AWS) is a pain to navigate and I often get lost. Plus, knowing ufw is useful away from AWS.
ufw is a firewall tool that (in my case) was disabled by default, and when enabled, denies all incoming traffic - including my own SSH connections.
So, this is a short primer (and reminder) for future me.
$ sudo ufw status # expecting "disabled"
$ sudo ufw allow ssh # let us back in using SSH
$ sudo ufw allow https # because I'm usually running a server
$ sudo ufw enable
Now test, importantly without closing the current connection.
This puts the firewall in place. Now if I want to block an individual IP address:
$ sudo ufw deny from 1.2.3.4 to any
Now any requests from 1.2.3.4 are discarded at the network level, allowing my resources to happily continue without wasting resources on a client that's been configured to automatically request from my machine multiple times a second with the wrong API key…
Fair warning
As I mentioned, this feels like a bit of a fast and lose approach, and this wouldn't get me a job as head of Ops in Big Corp. But it works for me. Your mileage may vary!
Originally published on Remy Sharp's b:log
This content originally appeared on remy sharp's b:log and was authored by remy sharp's b:log
remy sharp's b:log | Sciencx (2023-10-31T00:00:00+00:00) Blocking IPs in production [blog]. Retrieved from https://www.scien.cx/2023/10/31/blocking-ips-in-production-blog/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.