On Sun 10 Nov 2019 at 11:01:07 +0100, Michael wrote: > On Saturday, November 9, 2019 7:01:00 PM CET, Gene Heskett wrote: > > > I was able, with the help of another responder to carve up some iptables > > rules to stop the DDOS that semrush, yandex, bingbot, and 2 or 3 others > > were bound to do to me. > > using iptables directly is fine, because you get your results fast, but it > lacks some advantages over fail2ban, which i think outweigh the simplicity > of iptables: > - whith iptables you have to scan your log regularly for misbehaving or > unwanted clients, whereas fail2ban does this automatically, constantly (!), > and based on rules. from time to time these rules have to be adapted, since > bots are evolving, but i think it's still less trouble than looking at log > files every day or so. > - fail2ban allows you to block only specific ports, in your case maybe 80 > and/or 443 for the web server. > - you have to remember which ip address you blocked, why and for how long > you want to block them. fail2ban does that for you. > - ... (too lazy right now to write more)
This accords with my understanding of failtoban with exim. I use it to keep the logs clean and it is very effective. Offenders are banned for a year, although I do wonder sometimes whether this length of time is a little over the top. I also wonder whether, as the banned list builds up, there is a noticable affect on the machine's resources. -- Brian.
