> > > You don't mention anything about the rate... > > Anyway, fail2ban does look at hosts individually ...it doesn't > > "lump together stats for requests coming from different IP > > addresses". > > > > If this "DOS" attack simply involves -for instance- requests to > > legitimate web pages and not attempts to brute force log in to your > > website (using - for example - a "dictionary attack") then you are > > really talking about an attack that is simply a matter of "rate". > > In other words these ten hosts are requesting legitimate web pages > > from your site at a very high rate (perhaps tens or hundreds of > > requests per second). > > > > If that's the case then the tool for that is apache "mod evasive" - > > not fail2ban. > > > Good point. fail2ban isn't exactly the right tool for this. >
There appears to be a project but I don't think it's maintained: https://github.com/XaF/fail2ban-subnets and there is aq Git issue/feature request: ttps:// github.com/fail2ban/fail2ban/issues/927
_______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
