Anyone willing to share Firewall rules

[presentpro]

Recently I was dealing with huge log data that overwhelmed my system.

I now believe my server is under some sort of attack, causing the massive logs and also massive amounts of data transferred - which seems strange as it is relatively new, and I thought that having IPs on my block list would be sufficient. This is also why I have had large volumes of outbound data, which I have not yet been able to identify.

I wonder if anyone is able to share the Firewall rules they currently use to allow Snidust to run successfully, but not create a security risk. (I thought this would also make a valuable addition to the docs)

[Seji64]

Hi,
just to understand, you have entered a few allowed IPs in SniDust and your system is still being overrun?

[presentpro]

I know I can manual block these IPs, but I thought there may just be good practice firewall rules that stop it occurring in the first place (using GCP for hosting).

[Seji64]

In addition, the acl is working as intended, when I remove my own IP I am no longer able to get a response from a DNS request.

also a simple curl command is blocked? eg curl YOUR_VPS_IP should be denied.

[presentpro]

Yes, this is denied (see response below). Although I do have an internal API running on port 5000 which will accept certain requests with a bearer token.

---

HTTP/1.1 403 Forbidden
Server: nginx/1.24.0
Date: Thu, 11 Apr 2024 15:11:31 GMT
Content-Type: text/html
Content-Length: 555
Connection: keep-alive

<title>403 Forbidden</title>

403 Forbidden

---

nginx/1.24.0

[Seji64]

Hm, if blocked there cant be Traffic to some ips 🧐

[presentpro]

😄 That's what I thought, but here we stand. It's not a problem specifically with the package anyway, just some sort of abuse. I'm very surprised that a new instance less than a month old would be hit by anything though.