> In this entire thread you haven't mentioned what your "scenario" > is. All you say is "DOS". What is your scenario?
I'm not sure why you'd say that. I started off with: "I recently suffered DoS from a series of 10 sequential IP addresses which identified themselves as being associated with a fairly legit search engine." Those 10 sequential IPs would not have triggered any of the 3 mod_evasive conditions which are applied to each single IP. - Grant >> > You don't mention anything about the rate... >> > Anyway, fail2ban does look at hosts individually ...it doesn't >> > "lump together stats for requests coming from different IP >> > addresses". >> > >> > If this "DOS" attack simply involves -for instance- requests to >> > legitimate web pages and not attempts to brute force log in to your >> > website (using - for example - a "dictionary attack") then you are >> > really talking about an attack that is simply a matter of "rate". >> > In other words these ten hosts are requesting legitimate web pages >> > from your site at a very high rate (perhaps tens or hundreds of >> > requests per second). >> > >> > If that's the case then the tool for that is apache "mod evasive" - >> > not fail2ban. >> >> >> I'm not sure how mod_evasive would be helpful here. It is said to check >> for: >> >> - Requesting the same page more than a few times per second >> - Making more than 50 concurrent requests on the same child per second >> - Making any requests while temporarily blacklisted >> >> None of that would have triggered in my scenario. Am I missing >> something? >> >> - Grant ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
