On Monday, 4 April 2022 12:03:59 EDT to...@tuxteam.de wrote: > On Mon, Apr 04, 2022 at 11:51:47AM -0400, gene heskett wrote: > > [...] > > > I'd be watching the logs for the src address, and the 2nd time I saw > > the same address, add it to my iptables drop recipe. voila! [...] > That's what fail2ban does for you. Only that it looks at many logs in > parallel (your ssh, your mail server, etc.) and that it NEVER SLEEPS. > (No, seriously ;-) > > Another advantage is that it can un-ban addresses after a while, so > that (a) your iptables don't grow without limits and (b) IP addresses > get a second chance (useful in the case they land in the hands of > an admin with a clue). > > Since those attacks are pretty well distributed since a while (meaning > that they come from many random IPs), the real question is: do the > IPs repeat sufficiently to justify the (manual or automated) effort? > > If an IP only repeats after, say, 10^4 or 10^5 attempts, I'd say "nah". > I'll check that, perhaps next weekend. Perhaps I'll post my conclusion > here, who knows :)
One of the things I've noted about bullseye, is that apache2 is no longer generating the "other" logs like it did for stretch for many years. That was where all the bots wound up and I'm guessing there must be north of 50 of them active at any one time. They move the addess about once a month so folks checking addresses and blocking an address are worked around, but some I figuredout had a good sized CDIR so a few got a /16 treatment, and one or two even got a /8 block. These are the bots that will mirror your site and burn up your upload bandwidth because the instant they get to the end, they start over at the top. Its my bandwidth they're burning up by ignoring my robots text. Not theirs to abuse, they've already paid for terabytes a minute. But to me on a budget 10 megabit circuit, its a killer and I don't care how many kittens I kill but I will stop them. Since that pair of identical 2T drives failed, shingled drives I suspect, I no longer have a web page, my whole /opt dir is now nearly empty and I did have 2 or 3 hundred gigs of stuff there. While it would be nice to publish some of my output again, it may not happen in whats left of my watch. Apache2 is runnning, but does not now have anything to serve. I can regenerate some of it, perhaps 1% of it related to running big machinery with a pi mostly related to LinuxCNC but we have some good news from debian, LinuxCNC is now in unstable, and probably will be in bookworm when its official. Take care and stay well Tomas. > Cheers > -- > t Cheers, Gene Heskett. -- "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author, 1940) If we desire respect for the law, we must first make the law respectable. - Louis D. Brandeis
