NAK: Active defense for Debian 13 and Caddy

  • intro
  • debian

TL;DR: https://github.com/singletail/nak

Putting up a new web server on the “dead Internet” is exciting.

In the first three weeks of this server being online, it has been attacked by hosts on 13,735 different IP addresses. Most of those servers would still be trying to get in today, if I hadn’t built a system to keep them out.

You are welcome to use my scripts, or learn from them, or even criticize me for using them. Here’s a little bit about what they do.

Step 1: IPdeny

Sadly, the vast majority of exploit attempts are coming from parts of the world where none of my friends or clients live. So I’ve taken the drastic measure of blocking all but about 20 countries using geo-based ipsets from IPDeny. It’s not a very nice way of handling this problem, but it’s extremely effective.

On a daily basis, this package downloads zone files by country code, as defined in /etc/nak, either by whitelist or blacklist. It then extracts the scripts, adds them to an ipset, and sets them all to reject at the kernel level.

This alone cuts down bot traffic by about 80%.

Step 2: Caddy

I’m using Caddy as my main reverse proxy. It’s fast, light, and remembers to renew my SSL certificates when I forget. That makes it the natural second line of defense.

NAK installs a pre-defined list of rules, then all you have to do is import that file into your existing Caddyfile and configure a logfile. Rule matches are written there and saved for analysis.

Step 3: Ipsets

NAK installs a daemon via systemctl which watches that caddy log, and inserts the offending addresses into an ipset, which then blocks all packets immediately and forever.

It’s that simple. And designed to easily disable/remove any pieces that may need to be adjusted over time.

If you’d like to give it a try, head over to Github and follow the installation instructions. I think you’ll find that it’s a simple, elegant, solution.

https://github.com/singletail/nak

#EOF