On Sunday 10 November 2019 14:37:58 Brian wrote: > On Sun 10 Nov 2019 at 10:26:17 -0800, Kushal Kumaran wrote: > > Brian <a...@cityscape.co.uk> writes: > > > On Sun 10 Nov 2019 at 11:01:07 +0100, Michael wrote: > > >> On Saturday, November 9, 2019 7:01:00 PM CET, Gene Heskett wrote: > > >> > I was able, with the help of another responder to carve up some > > >> > iptables rules to stop the DDOS that semrush, yandex, bingbot, > > >> > and 2 or 3 others were bound to do to me. > > >> > > >> using iptables directly is fine, because you get your results > > >> fast, but it lacks some advantages over fail2ban, which i think > > >> outweigh the simplicity of iptables: > > >> - whith iptables you have to scan your log regularly for > > >> misbehaving or unwanted clients, whereas fail2ban does this > > >> automatically, constantly (!), and based on rules. from time to > > >> time these rules have to be adapted, since bots are evolving, but > > >> i think it's still less trouble than looking at log files every > > >> day or so. > > >> - fail2ban allows you to block only specific ports, in your case > > >> maybe 80 and/or 443 for the web server. > > >> - you have to remember which ip address you blocked, why and for > > >> how long you want to block them. fail2ban does that for you. > > >> - ... (too lazy right now to write more) > > > > > > This accords with my understanding of failtoban with exim. I use > > > it to keep the logs clean and it is very effective. Offenders are > > > banned for a year, although I do wonder sometimes whether this > > > length of time is a little over the top. I also wonder whether, as > > > the banned list builds up, there is a noticable affect on the > > > machine's resources. > > > > Probably. But you have to balance that against the resources > > required if you let the connection through to exim (or whatever > > service you're protecting). iptables (even with a few hundred > > rules) is likely to be more efficient than exim. > > Thank you for that, Kushal. I see your point. It is indeed efficiency, > not security, I am after. > > > One thing you could try is to examine the iptables rule counters > > daily/weekly. If the counters do not increase during some interval, > > then the rule is no longer useful to you, so you could delete it. > > This should be fairly straightforward to automate, but I don't know > > if someone has already built this tooling. > > I hardly use iptables, so this is the first I have heard about rule > counters. I'll work something out to accomodate it.
This is something I've been looking at/for, is something that can take this report. And something that has not had a hit in say a month, should be removed. #> iptables -L -nv --line-numbers Chain INPUT (policy ACCEPT 2785K packets, 28G bytes) num pkts bytes target prot opt in out source destination 1 0 0 DROP all -- * * 73.229.203.175 0.0.0.0/0 2 0 0 DROP all -- * * 77.88.5.200 0.0.0.0/0 3 0 0 DROP all -- * * 66.249.64.226 0.0.0.0/0 4 0 0 DROP all -- * * 40.77.167.82 0.0.0.0/0 5 0 0 DROP all -- * * 111.225.149.199 0.0.0.0/0 6 0 0 DROP all -- * * 40.77.167.142 0.0.0.0/0 7 4 240 DROP all -- * * 220.243.136.25 0.0.0.0/0 8 424 25440 DROP all -- * * 46.229.168.146 0.0.0.0/0 9 3 180 DROP all -- * * 141.8.143.160 0.0.0.0/0 10 4 240 DROP all -- * * 111.225.148.159 0.0.0.0/0 11 72 4320 DROP all -- * * 46.229.168.134 0.0.0.0/0 12 32 1920 DROP all -- * * 46.229.168.137 0.0.0.0/0 13 4 240 DROP all -- * * 111.225.148.49 0.0.0.0/0 14 0 0 DROP all -- * * 220.243.136.54 0.0.0.0/0 15 0 0 DROP all -- * * 110.249.202.57 0.0.0.0/0 16 740 44400 DROP all -- * * 111.225.149.0/24 0.0.0.0/0 17 711 42660 DROP all -- * * 110.249.201.0/24 0.0.0.0/0 18 658 39480 DROP all -- * * 110.249.202.0/24 0.0.0.0/0 19 608 36480 DROP all -- * * 111.225.148.0/24 0.0.0.0/0 20 552 33120 DROP all -- * * 46.229.168.0/24 0.0.0.0/0 21 78 3744 DROP all -- * * 157.55.39.0/24 0.0.0.0/0 22 178 10680 DROP all -- * * 220.243.135.0/24 0.0.0.0/0 23 530 32044 DROP all -- * * 109.95.253.0/24 0.0.0.0/0 This collection is over less than a week, but looks as if the first 6 could be dropped, but I'd do this monthly in case they have a weekly new ip that some like bingbot, yandex, and semrush are using now, along with bytespider. The log that caused that to be generated was started at the same time I reinstalled apache2 and started applying iptables rules to block the jerks, is now 376211 entries long. Cheers, Gene Heskett -- "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) If we desire respect for the law, we must first make the law respectable. - Louis D. Brandeis Genes Web page <http://geneslinuxbox.net:6309/gene>
