> You don't mention anything about the rate... > Anyway, fail2ban does look at hosts individually ...it doesn't > "lump together stats for requests coming from different IP > addresses". > > If this "DOS" attack simply involves -for instance- requests to > legitimate web pages and not attempts to brute force log in to your > website (using - for example - a "dictionary attack") then you are > really talking about an attack that is simply a matter of "rate". > In other words these ten hosts are requesting legitimate web pages > from your site at a very high rate (perhaps tens or hundreds of > requests per second). > > If that's the case then the tool for that is apache "mod evasive" - > not fail2ban.
I'm not sure how mod_evasive would be helpful here. It is said to check for: - Requesting the same page more than a few times per second - Making more than 50 concurrent requests on the same child per second - Making any requests while temporarily blacklisted None of that would have triggered in my scenario. Am I missing something? - Grant >> >> Well I certainly use it to defend from that kind of attack all the time. >> >> Can you give us some idea of the rate (ie: how many requests per >> >> second)? Also, for that kind of attack it's important to be using the >> >> recidive filter. By any chance is it a wordpress site? >> >> >> So you're saying fail2ban should have caught it so they must have been >> making requests at a rate lower than my configured maximum? How does >> fail2ban know to lump together stats for requests coming from >> different IP addresses? ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
