> I haven't followed this thread all that closely, so forgive me if this is a > repeat. > > Not a fail2ban solution, but: > > Here's a snippet from an iptables config file. The comments should be > self-explanatory. This applies to all source and destination addresses. > But you could augment by setting the source and/or destination address(es). > Perhaps even make a config file where you can list the CIDR blocks for which > you want the rule to apply, and then use a shell script to generate the > iptables commands based on the config file. > > Michael > > > # TCP DDoS Prevention > #-------------------------------------------- > # Places an overall rate limit on all connections. > # > # Leaky bucket analogy for the 'limit' match: > # Each match empties the bucket by one token. > # --limit-burst = size of the bucket > # --limit = refill rate > # Example: --limit 3/minute -- limit-burst 5 > # For each match, one token is removed from the bucket. > # After 5 matches (with no refill), the bucket is empty. > # Every 20 seconds the bucket is refilled with 1 token up to a max of > 5. > > # Limit total of all new connection attempts to 5/second; burst of 20 > $ipt -A tcp_rate -p tcp -m state --state NEW \ > -m limit --limit 5/second --limit-burst 20 -j RETURN > $ipt -A tcp_rate -p tcp -m state --state NEW -j LOG \ > --log-level debug --log-prefix "IPTables TCP Rate1: " > $ipt -A tcp_rate -p tcp -m state --state NEW -j DROP
Thank you but I'm looking for something that will work without specifying the bad IPs in advance. And if I apply a rule like this to all clients then a connection coming from a good client will be just as likely to be dropped as a connection coming from a bad client. - Grant >> > Well, yes, for my apache server I use the mod_evasive plugin. A quick >> > search on the web seems to indicate that mod_evasive isn't available for >> > nginx (at least according to this post) but apparently there is an nginx >> > alternative: >> > >> > http://stackoverflow.com/questions/4849094/mod-evasive-for-nginx >> > >> > Good luck with it. Installation might seem somewhat daunting at >> > first but if you find the right instructions it will probably be >> > straightforward (mod_evasive was). >> >> >> I don't understand how mod_evasive could help when a series of >> sequential IPs are making too many combined requests but no single IP >> is making too many requests by itself. >> >> - Grant >> >> >> >> > Fail2ban works when the attacker can be distinguished in some way >> (other >> >> > than rate) from an ordinary person browsing your site. >> >> > If these ten hosts aren't attempting a "brute force" or "dictionary" >> >> > attack ..ie if they are doing nothing more than requesting web pages >> >> > (at a fast rate), then fail2ban is probably not the right tool. >> >> >> >> >> >> Any idea what the right tool would be? nginx doesn't seem to have >> >> anything like that. >> >> >> >> - Grant ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
