Re: fail2ban for apache2

To: debian-user@lists.debian.org
Subject: Re: fail2ban for apache2
From: Kushal Kumaran <kushal@locationd.net>
Date: Sun, 10 Nov 2019 10:26:17 -0800
Message-id: <[🔎] 87pnhza8qe.fsf@copper.locationd.net>
In-reply-to: <[🔎] 10112019124533.a54502d8b617@desktop.copernicus.org.uk> (Brian's message of "Sun, 10 Nov 2019 12:55:16 +0000")
References: <[🔎] 201911090230.57430.gheskett@shentel.net> <[🔎] 57d0227f-d162-39d3-10ba-d1512f6a4efb@mail.com> <[🔎] 9b18bb10-bc6e-4c99-8f38-83bd50c5d4ae@hemathor.de> <[🔎] 201911091301.00019.gheskett@shentel.net> <[🔎] 8a394bb2-8936-469f-9225-d54d046230d4@hemathor.de> <[🔎] 10112019124533.a54502d8b617@desktop.copernicus.org.uk>

Brian <ad44@cityscape.co.uk> writes:

> On Sun 10 Nov 2019 at 11:01:07 +0100, Michael wrote:
>
>> On Saturday, November 9, 2019 7:01:00 PM CET, Gene Heskett wrote:
>> 
>> > I was able, with the help of another responder to carve up some iptables
>> > rules to stop the DDOS that semrush, yandex, bingbot, and 2 or 3 others
>> > were bound to do to me.
>> 
>> using iptables directly is fine, because you get your results fast, but it
>> lacks some advantages over fail2ban, which i think outweigh the simplicity
>> of iptables:
>> - whith iptables you have to scan your log regularly for misbehaving or
>> unwanted clients, whereas fail2ban does this automatically, constantly (!),
>> and based on rules. from time to time these rules have to be adapted, since
>> bots are evolving, but i think it's still less trouble than looking at log
>> files every day or so.
>> - fail2ban allows you to block only specific ports, in your case maybe 80
>> and/or 443 for the web server.
>> - you have to remember which ip address you blocked, why and for how long
>> you want to block them. fail2ban does that for you.
>> - ... (too lazy right now to write more)
>
> This accords with my understanding of failtoban with exim. I use it to
> keep the logs clean and it is very effective. Offenders are banned for
> a year, although I do wonder sometimes whether this length of time is
> a little over the top. I also wonder whether, as the banned list builds
> up, there is a noticable affect on the machine's resources.

Probably.  But you have to balance that against the resources required
if you let the connection through to exim (or whatever service you're
protecting).  iptables (even with a few hundred rules) is likely to be
more efficient than exim.

One thing you could try is to examine the iptables rule counters
daily/weekly.  If the counters do not increase during some interval,
then the rule is no longer useful to you, so you could delete it.  This
should be fairly straightforward to automate, but I don't know if
someone has already built this tooling.

-- 
regards,
kushal

Reply to:

Follow-Ups:
- Re: fail2ban for apache2
  - From: Brian <ad44@cityscape.co.uk>

References:
- fail2ban for apache2
  - From: Gene Heskett <gheskett@shentel.net>
- Re: fail2ban for apache2
  - From: john doe <johndoe65534@mail.com>
- Re: fail2ban for apache2
  - From: Michael <ml@hemathor.de>
- Re: fail2ban for apache2
  - From: Gene Heskett <gheskett@shentel.net>
- Re: fail2ban for apache2
  - From: Michael <ml@hemathor.de>
- Re: fail2ban for apache2
  - From: Brian <ad44@cityscape.co.uk>

Prev by Date: Re: fail2ban for apache2
Next by Date: Re: fail2ban for apache2
Previous by thread: Re: fail2ban for apache2
Next by thread: Re: fail2ban for apache2
Index(es):
- Date
- Thread