>>>>> "M" == Mike <[email protected]> writes: M> I'm seeing botnets that operate from hundreds, if not thousands of M> distinct IP addresses and spread their brute force and dictionary M> attacks out, so they're not triggered by f2b.
I did get tired of seeing basically thousands of banned IP notices, and so I moved to the current development code so I could make use of the progressive ban time growth functionality. So for an ssh server where I expect people to occasionally flub a password, I ban after a few tries for five minutes, then five minutes again, then something on the order of months. I think they'd have to have a much larger set of available IPs from which to attack if they wanted to be able to actually brute force any passwords while not doing more than four attempts per day per host. Especially since they almost never seem to actually try a valid account name. But even that leads to a tiring amount of emails about blocking hosts, so I implemented a simple script to fetch lists from blocklist.de and cream those in an ipset. I fetch the list every few hours from a systemd timer unit. That's cut down the amount of blocks I make by something on the order of 90%. I find that the SSH attack list usually contains about 8000 addresses. Note that this is implemented completely independently from fail2ban; I just call firewall-cmd to add a direct rule (in the same manner that fail2ban does) and then load the addresses in by calling ipset in a loop. There's nothing persistent; it's run via a systemd timer and executes shortly after boot in addition to every few hours. Of course, to be polite, you may want to also set up the reporting of attacks you receive to blocklist.de; that's already supported by default in fail2ban. And I know there's another service that does something similar, but they seem to want money. blocklist.de works well enough for me. The script is unpolished; I only hacked it together last week and never bothered to polish it. If that's the kind of thing you're looking for, I can pass it along. - J< _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
