You should be able to address this with the INPUT chain of iptables. Here is
my smtp entry:
pkts bytes target prot opt in out source destination
0 0ACCEPT tcp -- * * 0.0.0.0/00.0.0.0/0multiport dports 25,465,587 limit: up to 10/min
Sorry, perhaps I answered too quickly...
Fail2ban works when the attacker can be distinguished in some way (other
than rate) from an ordinary person browsing your site.
If these ten hosts aren't attempting a "brute force" or "dictionary"
attack ..ie if they are doing nothing more than requesting
Denial of Service would mean that other hosts attempting to access your
site would not be able to access it because of what these ten sequential
hosts were doing. If "it wasn't more than a few requests per second
over a sustained period of time", then a normal server running - for
example
> "Suffered a DOS from a series of 10 sequential IP addresses..." doesn't
> tell us any information at all.
>
> Ten sequential hosts accessing a website does not constitute a DOS. You
> would have to say something about the rate.
I didn't think a DoS had to be malicious. It wasn't more than a
> Well I certainly use it to defend from that kind of attack all the time.
> Can you give us some idea of the rate (ie: how many requests per
> second)? Also, for that kind of attack it's important to be using the
> recidive filter.By any chance is it a wordpress site?
How do you do that?
>In this entire thread you haven't mentioned what your "scenario"
>is. All you say is "DOS". What is your scenario?
I'm not sure why you'd say that. I started off with:
"I recently suffered DoS from a series of 10 sequential IP addresses
which identified themselves as being