As a follow up on my previous post about this new system, login-shield https://github.com/dpsystems/login-shield
A set of scripts that creates an extra layer of protection that sits in front of F2B and blocks login ports using IP hashes and large groups of IPs. I wanted to share some stats on this system's effectiveness. I don't expect everybody to get these kinds of results because I'm tweaking the blacklist based on my own system probes but it's pretty interesting. Blacklist status: Name: login-shield Type: hash:net Size in memory: 17400 Number of entries: 308 Yes, only 308 rules... Server 1: mail server with a few web sites Period: Oct 13 3:45am - Oct 16 11:51am Number of login failures in log files: 163 Number of filtered login attempts: 26646 99.1% of system probes blocked. The super high number of filtered login attempts seems to be attributed to a small number of systems that, despite being blocked, keep trying to hammer the imap ports presumably waiting to be timed out and acceptable again. Now when I examine my f2b logfile, it's mostly [unban] timeouts, and triggers from smtp. Server 2: web server handling 40+ hosts Period: Oct 13 3:00am - Oct 16 11:58am Number of login failures in log files: 43 Number of filtered login attempts: 2948 98.6% of system probes blocked. If anybody else wants to try these scripts and let me know how well they work for you, it's appreciated.
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
