On Mon, Apr 04, 2022 at 11:51:47AM -0400, gene heskett wrote: [...] > I'd be watching the logs for the src address, and the 2nd time I saw the > same address, add it to my iptables drop recipe. voila! [...] That's what fail2ban does for you. Only that it looks at many logs in parallel (your ssh, your mail server, etc.) and that it NEVER SLEEPS. (No, seriously ;-) Another advantage is that it can un-ban addresses after a while, so that (a) your iptables don't grow without limits and (b) IP addresses get a second chance (useful in the case they land in the hands of an admin with a clue). Since those attacks are pretty well distributed since a while (meaning that they come from many random IPs), the real question is: do the IPs repeat sufficiently to justify the (manual or automated) effort? If an IP only repeats after, say, 10^4 or 10^5 attempts, I'd say "nah". I'll check that, perhaps next weekend. Perhaps I'll post my conclusion here, who knows :) Cheers -- t
Attachment:
signature.asc
Description: PGP signature