On 06/10/2019 18:07, Mike wrote: > > It seems by default, many of the fail2ban jails are rejecting incoming > traffic with this iptables option: > reject-with icmp-port-unreachable > > Is there an advantage of doing this over simply just DROP'ing the > packets themselves? > > Wouldn't this let the remote system know you're actively closing a > potentially un-opened port, vs, if you just never replied to the > inquiry they remote system would believe there is no service at that > port? > > I'm curious what the best way to stop repeat traffic might be? > > - Mike > I believe the logic goes that, given you've already been talking with the offender, trying to disappear off the radar won't work. If you blacklist addresses at your firewall, then it may make sense not to respond to them at all, but if you want an offender to go away, the best option is to say "You are no longer welcome here" with an ICMP response.7
In the best case with an ICMP reject, the attacking software will realise that it's been rumbled and will back off. In the worst case with a drop, the attacking software will continue attacking forever. The reality lies somewhere in between. > > > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
