On 2/5/21 6:57 AM, William Kenworthy wrote:
Use fail2ban to target active abusers using your logs. (recommended)
I've had extremely good luck using Fail2Ban in a distributed
configuration* such that when one of my servers bans an IP, my other
servers also (almost) immediately ban the same IP.
*I'm using Fail2Ban's (null / reject) "route" option. I have BGP
sessions between my servers synchronizing the banned routes.
Leverage the cloud with something like:
http://iplists.firehol.org/?ipset=firehol_level1 (loaded to shorewall
with ipset:hash) to preemptively ban via blacklists - recommended.
There are many good blacklists out there - this one is a meta-list
and has fast and responsive updates.
That's an option.
I personally have some trouble swallowing the pill that is other
people's ban lists. -- It's one thing with adding to a spam score.
It's another when IPs are out and out blocked.
Aside: Make use of Fail2Ban's ignore feature to white list (or ignore
problems from) known good IPs.
Snort (in IDS mode triggering a fail2ban rule) is a bit heavier
resource-wise but quite useful. Snort in IPS mode is better, but it
can impact throughput. (if you are commercial, consider a licence to
get the latest rules as soon as they are created/needed.)
Another option in the same vein is to use the IPTables variants of the
Snort rules.
--
Grant. . . .
unix || die
