I haven't followed this thread all that closely, so forgive me if this is a
repeat.
Not a fail2ban solution, but:
Here's a snippet from an iptables config file. The comments should be
self-explanatory. This applies to all source and destination addresses.
But you could augment by setting the source and/or destination address(es).
Perhaps even make a config file where you can list the CIDR blocks for which
you want the rule to apply, and then use a shell script to generate the
iptables commands based on the config file.
Michael
# TCP DDoS Prevention
#--------------------------------------------
# Places an overall rate limit on all connections.
#
# Leaky bucket analogy for the 'limit' match:
# Each match empties the bucket by one token.
# --limit-burst = size of the bucket
# --limit = refill rate
# Example: --limit 3/minute -- limit-burst 5
# For each match, one token is removed from the bucket.
# After 5 matches (with no refill), the bucket is empty.
# Every 20 seconds the bucket is refilled with 1 token up to a max of
5.
# Limit total of all new connection attempts to 5/second; burst of 20
$ipt -A tcp_rate -p tcp -m state --state NEW \
-m limit --limit 5/second --limit-burst 20 -j RETURN
$ipt -A tcp_rate -p tcp -m state --state NEW -j LOG \
--log-level debug --log-prefix "IPTables TCP Rate1: "
$ipt -A tcp_rate -p tcp -m state --state NEW -j DROP
> -----Original Message-----
> From: Grant [mailto:[email protected]]
> Sent: Thursday, December 29, 2016 8:29 AM
> To: [email protected]
> Cc: [email protected]
> Subject: Re: [Fail2ban-users] fail2ban for a range of IPs
>
> > Well, yes, for my apache server I use the mod_evasive plugin. A quick
> > search on the web seems to indicate that mod_evasive isn't available for
> > nginx (at least according to this post) but apparently there is an nginx
> > alternative:
> >
> > http://stackoverflow.com/questions/4849094/mod-evasive-for-nginx
> >
> > Good luck with it. Installation might seem somewhat daunting at
> > first but if you find the right instructions it will probably be
> > straightforward (mod_evasive was).
>
>
> I don't understand how mod_evasive could help when a series of
> sequential IPs are making too many combined requests but no single IP
> is making too many requests by itself.
>
> - Grant
>
>
> >> > Fail2ban works when the attacker can be distinguished in some way
> (other
> >> > than rate) from an ordinary person browsing your site.
> >> > If these ten hosts aren't attempting a "brute force" or "dictionary"
> >> > attack ..ie if they are doing nothing more than requesting web pages
> >> > (at a fast rate), then fail2ban is probably not the right tool.
> >>
> >>
> >> Any idea what the right tool would be? nginx doesn't seem to have
> >> anything like that.
> >>
> >> - Grant
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
