If you have thousands of blocked IP address, fail2ban's ipset action is desirable.
Some attacks initiate tens of connections at the same time so that although fail2ban bans the address, your system has to handle all of them because they have already connected. You can mitigate this by limiting the number of connections within a certain time frame. Look into iptable's rate limiting. ACCEPT .... multiport dports 25,465,587 limit: up to 10/min burst 4 mode srcip /* mail - unknown */ followed by a DROP of those ports. Another approach is to limit the addresses allowed to connect with iptable's GeoIP. For example, only allow SSH connects from your country. Or conversely, drop all traffic from known bad countries. You could block one or more entire subnets (93.184.216.0/24) in iptables. Bill On 9/22/2019 6:09 PM, James Moe via Fail2ban-users wrote:
fail2ban 0.10.3 opensuse 15.0 We use sucicata to detect and optionally block bad actors. We recently set up a DNS server for a new domain. Said bad actors started abusing the server within a day with the DoS DNS Amplification attack. Suricata is set to block those packets. To ease the burden on Suricata which can be a CPU intensive protection, I created a jail to feedback detected DNS attacks. The attacks are tightly controlled from a large botnet; an attempt occurs almost precisely every 60 seconds. After 5 days of collecting IPs to block, the count has exceeded 10,000, and there is no change in the attack rate implying excellent CnC and lots of IPs. iptables does not seem to find this troublesome. So. Is this a case where fail2ban is not an especially useful solution to the problem? Or are 1000s of blocked IPs not uncommon?
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
