Brian J. Murrell <br...@interlinx.bc.ca> wrote: > The problem is that the rate that these cracking attempts comes in is > overwhelming
Not just for fail2ban ! Considering how small the packets are, getting 1/2Mbps of traffic from just one attack is quite a request rate. > for fail2ban at times and thousands of attempts can come > through before fail2ban has had time to process them and put the blocks > in place. I think latency. At that high rate, there's going to be something of a lag between the request arriving and it going in the log, then fail2ban has to process it, and as you speculate - by the time the ban is in place there's been a good number of attempts. I;ve seen the safe effect with brute-froce attempts at Wordpress sites. > Tangentially I also find that the blocking that fail2ban puts in place > to be ineffective at times. I'm not sure if I'm seeing the blocking > fail or if I am just seeing the latency of all the processing but I > continue to see fail2ban logging the attempts after the block has been > added. The other consideration is whether the packets are already associated with a connection - in which case it needs care to drop packets from established connections as well as new ones. At work we don't have roaming users, just a few working from home. So I block all SIP traffic and only permit certain address blocks - you soon learn just how many ranges some ISPs have ! It's cut out all the attacks since it's only 2 or 3 UK ISPs in the list. As an alternative, have you considered port-knocking ? There's support in Shorewall IIRC, and over at Nerd Vittles they've covered it as well as part of the PBXinaFlash project. http://nerdvittles.com As well as port knocking, Nerd Vittles they've also covered techniques like accessing a web page with a key that then enables access from that IP for SIP. ------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
