Re: fail2ban for apache2

To: debian-user@lists.debian.org
Subject: Re: fail2ban for apache2
From: Brian <ad44@cityscape.co.uk>
Date: Sun, 10 Nov 2019 19:37:58 +0000
Message-id: <[🔎] 10112019193006.34a1d5ff3ffd@desktop.copernicus.org.uk>
In-reply-to: <[🔎] 87pnhza8qe.fsf@copper.locationd.net>
References: <[🔎] 201911090230.57430.gheskett@shentel.net> <[🔎] 57d0227f-d162-39d3-10ba-d1512f6a4efb@mail.com> <[🔎] 9b18bb10-bc6e-4c99-8f38-83bd50c5d4ae@hemathor.de> <[🔎] 201911091301.00019.gheskett@shentel.net> <[🔎] 8a394bb2-8936-469f-9225-d54d046230d4@hemathor.de> <[🔎] 10112019124533.a54502d8b617@desktop.copernicus.org.uk> <[🔎] 87pnhza8qe.fsf@copper.locationd.net>

On Sun 10 Nov 2019 at 10:26:17 -0800, Kushal Kumaran wrote:

> Brian <ad44@cityscape.co.uk> writes:
> 
> > On Sun 10 Nov 2019 at 11:01:07 +0100, Michael wrote:
> >
> >> On Saturday, November 9, 2019 7:01:00 PM CET, Gene Heskett wrote:
> >> 
> >> > I was able, with the help of another responder to carve up some iptables
> >> > rules to stop the DDOS that semrush, yandex, bingbot, and 2 or 3 others
> >> > were bound to do to me.
> >> 
> >> using iptables directly is fine, because you get your results fast, but it
> >> lacks some advantages over fail2ban, which i think outweigh the simplicity
> >> of iptables:
> >> - whith iptables you have to scan your log regularly for misbehaving or
> >> unwanted clients, whereas fail2ban does this automatically, constantly (!),
> >> and based on rules. from time to time these rules have to be adapted, since
> >> bots are evolving, but i think it's still less trouble than looking at log
> >> files every day or so.
> >> - fail2ban allows you to block only specific ports, in your case maybe 80
> >> and/or 443 for the web server.
> >> - you have to remember which ip address you blocked, why and for how long
> >> you want to block them. fail2ban does that for you.
> >> - ... (too lazy right now to write more)
> >
> > This accords with my understanding of failtoban with exim. I use it to
> > keep the logs clean and it is very effective. Offenders are banned for
> > a year, although I do wonder sometimes whether this length of time is
> > a little over the top. I also wonder whether, as the banned list builds
> > up, there is a noticable affect on the machine's resources.
> 
> Probably.  But you have to balance that against the resources required
> if you let the connection through to exim (or whatever service you're
> protecting).  iptables (even with a few hundred rules) is likely to be
> more efficient than exim.

Thank you for that, Kushal. I see your point. It is indeed efficiency,
not security, I am after.

> One thing you could try is to examine the iptables rule counters
> daily/weekly.  If the counters do not increase during some interval,
> then the rule is no longer useful to you, so you could delete it.  This
> should be fairly straightforward to automate, but I don't know if
> someone has already built this tooling.

I hardly use iptables, so this is the first I have heard about rule
counters. I'll work something out to accomodate it.

-- 
Brian.

Reply to:

Follow-Ups:
- Re: fail2ban for apache2
  - From: Gene Heskett <gheskett@shentel.net>
- Re: fail2ban for apache2
  - From: Tixy <tixy@yxit.co.uk>

References:
- fail2ban for apache2
  - From: Gene Heskett <gheskett@shentel.net>
- Re: fail2ban for apache2
  - From: john doe <johndoe65534@mail.com>
- Re: fail2ban for apache2
  - From: Michael <ml@hemathor.de>
- Re: fail2ban for apache2
  - From: Gene Heskett <gheskett@shentel.net>
- Re: fail2ban for apache2
  - From: Michael <ml@hemathor.de>
- Re: fail2ban for apache2
  - From: Brian <ad44@cityscape.co.uk>
- Re: fail2ban for apache2
  - From: Kushal Kumaran <kushal@locationd.net>

Prev by Date: Re: fail2ban for apache2
Next by Date: Re: fail2ban for apache2
Previous by thread: Re: fail2ban for apache2
Next by thread: Re: fail2ban for apache2
Index(es):
- Date
- Thread