On Tue, Dec 13, 2016 at 07:28:03AM -0800, Grant wrote: > > So you're saying fail2ban should have caught it so they must have been > making requests at a rate lower than my configured maximum? How does > fail2ban know to lump together stats for requests coming from > different IP addresses?
In my understanding, fail2ban only collects stats on individual IPs. I have seen suggestions to change the action to block the entire /24 for a bad IP in some situations. That sort of helps, but doesn't help aggregate the "hits" on the jails in the first place. You could set up a jail to fire for every hit, and make the action just log each IP as A.B.C.0 (i.e. only log the hit, do not block the IP). Then use another jail to monitor that logfile and block A.B.C.0/24 when the hit threshhold is met. Here are a couple of other posts on the subject: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=724274 http://unix.stackexchange.com/questions/181114/how-can-i-teach-fail2ban-to-detect-and-block-attacks-from-a-whole-subnet IMHO, this setup currently requires too much hackery and I haven't found it to be worth it. I can imagine that changing though, so if the situation is bad enough, go for it. Mark > > - Grant > > > >> > I recently suffered DoS from a series of 10 sequential IP addresses > >> > which identified themselves as being associated with a fairly legit > >> > search engine. fail2ban would have dealt with the problem if a single > >> > IP address had been used. Can it be made to work in a situation like > >> > this where a series of sequential IP addresses are in play? > -- Mark Costlow | Southwest Cyberport | Fax: +1-505-232-7975 che...@swcp.com | Web: www.swcp.com | Voice: +1-505-232-7992 Mail Minder - Intelligent Push Notifications for Email on the iPhone http://mailminderapp.com/download or in the App Store ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
