Am 02.03.2015 um 18:56 schrieb Robert Schetterer:
perhaps and i mean really "perhaps" go this way

https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/

https://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-modul-abwehren/

45K+ IPs will work in a recent table
i have them too but for smtp only like

echo 10000000 > /sys/module/xt_recent/parameters/ip_list_tot

combine with geoip might be a good idea too

is ultra faster then fail2ban cause no log file parsing is needed

or an other idea
you might test, configure a syslog filter pumping in a recent table the
direct way

that is all nice

but the main benefit of RBL's is always ignored:

* centralized
* no log parsing at all
* honeypot data are "delivered" to any host
* it's cheap
* it's easy to maintain
* it don't need any root privileges anywhere

we have a small honeypot network with a couple of ipranges detecting mass port-scans and so on and this data are available *everywhere*

so if some IP hits there it takes 60 seconds and any service supportings DNS blacklists can block them *even before* the bot hits the real mailserver at all



Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to