> You should be able to address this with the INPUT chain of iptables. Here
> is my smtp entry:
> pkts bytes target prot opt in out source destination
> 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
> multiport dports 25,465,587 limit: up to 10/min burst 4 mode srcip /* mail -
> unknown */
> If any source IP is over the limit it fall thru to the default policy; for
> me it is DROP.
>
> I use Shorewall and the entry in the rules file is:
> ?COMMENT mail - unknown
> ACCEPT any fw tcp
> smtp,smtps,submission { rate=s:smtp:10/min:4 }
> This allows a burst of 4 new connections. The burst bucket is recharged at
> smtp:10/min which one per 6 seconds.
I'm actually trying to figure out how to limit the rate of a group of
IPs on the same subnet. I don't think this firewall solution works
that way.
- Grant
> Sorry, perhaps I answered too quickly...
> Fail2ban works when the attacker can be distinguished in some way (other
> than rate) from an ordinary person browsing your site.
> If these ten hosts aren't attempting a "brute force" or "dictionary"
> attack ..ie if they are doing nothing more than requesting web pages
> (at a fast rate), then fail2ban is probably not the right tool.
>
>
>
> On Thu, Dec 15, 2016, at 04:04 PM, Grant wrote:
>
> Well I certainly use it to defend from that kind of attack all the time.
> Can you give us some idea of the rate (ie: how many requests per
> second)? Also, for that kind of attack it's important to be using the
> recidive filter. By any chance is it a wordpress site?
>
> How do you do that?
>
> The requests per second were not astronomical but my backend gets
> bogged down when handling several requests per second over a sustained
> period of time.
>
> I am using the recidive filter.
>
> It is not a Wordpress site.
>
> - Grant
>
>
> I recently suffered DoS from a series of 10 sequential IP addresses
> which identified themselves as being associated with a fairly legit
> search engine. fail2ban would have dealt with the problem if a single
> IP address had been used. Can it be made to work in a situation like
> this where a series of sequential IP addresses are in play?
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
