On Sun 10 Nov 2019 at 10:26:17 -0800, Kushal Kumaran wrote: > Brian <a...@cityscape.co.uk> writes: > > > On Sun 10 Nov 2019 at 11:01:07 +0100, Michael wrote: > > > >> On Saturday, November 9, 2019 7:01:00 PM CET, Gene Heskett wrote: > >> > >> > I was able, with the help of another responder to carve up some iptables > >> > rules to stop the DDOS that semrush, yandex, bingbot, and 2 or 3 others > >> > were bound to do to me. > >> > >> using iptables directly is fine, because you get your results fast, but it > >> lacks some advantages over fail2ban, which i think outweigh the simplicity > >> of iptables: > >> - whith iptables you have to scan your log regularly for misbehaving or > >> unwanted clients, whereas fail2ban does this automatically, constantly (!), > >> and based on rules. from time to time these rules have to be adapted, since > >> bots are evolving, but i think it's still less trouble than looking at log > >> files every day or so. > >> - fail2ban allows you to block only specific ports, in your case maybe 80 > >> and/or 443 for the web server. > >> - you have to remember which ip address you blocked, why and for how long > >> you want to block them. fail2ban does that for you. > >> - ... (too lazy right now to write more) > > > > This accords with my understanding of failtoban with exim. I use it to > > keep the logs clean and it is very effective. Offenders are banned for > > a year, although I do wonder sometimes whether this length of time is > > a little over the top. I also wonder whether, as the banned list builds > > up, there is a noticable affect on the machine's resources. > > Probably. But you have to balance that against the resources required > if you let the connection through to exim (or whatever service you're > protecting). iptables (even with a few hundred rules) is likely to be > more efficient than exim.
Thank you for that, Kushal. I see your point. It is indeed efficiency, not security, I am after. > One thing you could try is to examine the iptables rule counters > daily/weekly. If the counters do not increase during some interval, > then the rule is no longer useful to you, so you could delete it. This > should be fairly straightforward to automate, but I don't know if > someone has already built this tooling. I hardly use iptables, so this is the first I have heard about rule counters. I'll work something out to accomodate it. -- Brian.