You should be able to address this with the INPUT chain of iptables. Here is
my smtp entry:
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,587 limit: up to 10/min
burst 4 mode srcip /* mail - unknown */
If any source IP is over the limit it fall thru to the default policy; for me
it is DROP.
I use Shorewall and the entry in the rules file is:
?COMMENT mail - unknown
ACCEPT any fw tcp smtp,smtps,submission {
rate=s:smtp:10/min:4 }
This allows a burst of 4 new connections. The burst bucket is recharged at
smtp:10/min which one per 6 seconds.
Bill
On 12/15/2016 10:59 PM, pjc...@fastmail.fm wrote:
Sorry, perhaps I answered too quickly...
Fail2ban works when the attacker can be distinguished in some way (other
than rate) from an ordinary person browsing your site.
If these ten hosts aren't attempting a "brute force" or "dictionary"
attack ..ie if they are doing nothing more than requesting web pages
(at a fast rate), then fail2ban is probably not the right tool.
On Thu, Dec 15, 2016, at 04:04 PM, Grant wrote:
Well I certainly use it to defend from that kind of attack all the time.
Can you give us some idea of the rate (ie: how many requests per
second)? Also, for that kind of attack it's important to be using the
recidive filter. By any chance is it a wordpress site?
How do you do that?
The requests per second were not astronomical but my backend gets
bogged down when handling several requests per second over a sustained
period of time.
I am using the recidive filter.
It is not a Wordpress site.
- Grant
I recently suffered DoS from a series of 10 sequential IP addresses
which identified themselves as being associated with a fairly legit
search engine. fail2ban would have dealt with the problem if a single
IP address had been used. Can it be made to work in a situation like
this where a series of sequential IP addresses are in play?
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
