On 12/10/2021 02:02 PM, Robert Kudyba wrote: > > > You don't mention anything about the rate... > > Anyway, fail2ban does look at hosts individually ...it doesn't > > "lump together stats for requests coming from different IP > > addresses". > > > > If this "DOS" attack simply involves -for instance- requests to > > legitimate web pages and not attempts to brute force log in to your > > website (using - for example - a "dictionary attack") then you are > > really talking about an attack that is simply a matter of "rate". > > In other words these ten hosts are requesting legitimate web pages > > from your site at a very high rate (perhaps tens or hundreds of > > requests per second). > > > > If that's the case then the tool for that is apache "mod evasive" - > > not fail2ban. > > > Good point. fail2ban isn't exactly the right tool for this. > > > There appears to be a project but I don't think it's maintained: > https://github.com/XaF/fail2ban-subnets > > and there is aq Git issue/feature request: > ttps://github.com/fail2ban/fail2ban/issues/927 > <http://github.com/fail2ban/fail2ban/issues/927> > > > > > _______________________________________________ > Fail2ban-users mailing list > Fail2ban-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fail2ban-users
In my case I need to ban subnets of various sizes that are trying to brute-force ssh access. I manually identify subnets based on log file perusal which is not a problem so I do not need automatic identification. Nice but not required to start with. It would be great if the ability to ban subnet of any specification could be added to fail2ban!
_______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
