Grant,
You don't mention anything about the rate...
Anyway, fail2ban does look at hosts individually ...it doesn't
"lump together stats for requests coming from different IP
addresses".
If this "DOS" attack simply involves -for instance- requests to
legitimate web pages and not attempts to brute force log in to your
website (using - for example - a "dictionary attack") then you are
really talking about an attack that is simply a matter of "rate".
In other words these ten hosts are requesting legitimate web pages
from your site at a very high rate (perhaps tens or hundreds of
requests per second).
If that's the case then the tool for that is apache "mod evasive" -
not fail2ban.
On Tue, Dec 13, 2016, at 07:28 AM, Grant wrote:
> >> Well I certainly use it to defend from that kind of attack all the time.
> >> Can you give us some idea of the rate (ie: how many requests per
> >> second)? Also, for that kind of attack it's important to be using the
> >> recidive filter. By any chance is it a wordpress site?
>
>
> So you're saying fail2ban should have caught it so they must have been
> making requests at a rate lower than my configured maximum? How does
> fail2ban know to lump together stats for requests coming from
> different IP addresses?
>
> - Grant
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
