Am 02.03.2015 um 18:56 schrieb Robert Schetterer:
perhaps and i mean really "perhaps" go this wayhttps://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/ https://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-modul-abwehren/ 45K+ IPs will work in a recent table i have them too but for smtp only like echo 10000000 > /sys/module/xt_recent/parameters/ip_list_tot combine with geoip might be a good idea too is ultra faster then fail2ban cause no log file parsing is needed or an other idea you might test, configure a syslog filter pumping in a recent table the direct way
that is all nice but the main benefit of RBL's is always ignored: * centralized * no log parsing at all * honeypot data are "delivered" to any host * it's cheap * it's easy to maintain * it don't need any root privileges anywherewe have a small honeypot network with a couple of ipranges detecting mass port-scans and so on and this data are available *everywhere*
so if some IP hits there it takes 60 seconds and any service supportings DNS blacklists can block them *even before* the bot hits the real mailserver at all
signature.asc
Description: OpenPGP digital signature