Am 02.03.2015 um 18:56 schrieb Robert Schetterer:
perhaps and i mean really "perhaps" go this way
https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/
https://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-m...
45K+ IPs will work in a recent table i have them too but for smtp only like
echo 10000000 > /sys/module/xt_recent/parameters/ip_list_tot
combine with geoip might be a good idea too
is ultra faster then fail2ban cause no log file parsing is needed
or an other idea you might test, configure a syslog filter pumping in a recent table the direct way
that is all nice
but the main benefit of RBL's is always ignored:
- centralized
- no log parsing at all
- honeypot data are "delivered" to any host
- it's cheap
- it's easy to maintain
- it don't need any root privileges anywhere
we have a small honeypot network with a couple of ipranges detecting mass port-scans and so on and this data are available *everywhere*
so if some IP hits there it takes 60 seconds and any service supportings DNS blacklists can block them *even before* the bot hits the real mailserver at all