Am 02.03.2015 um 19:03 schrieb Reindl Harald:
Am 02.03.2015 um 18:56 schrieb Robert Schetterer:
perhaps and i mean really "perhaps" go this way
https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/
https://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-m...
45K+ IPs will work in a recent table i have them too but for smtp only like
echo 10000000 > /sys/module/xt_recent/parameters/ip_list_tot
combine with geoip might be a good idea too
is ultra faster then fail2ban cause no log file parsing is needed
or an other idea you might test, configure a syslog filter pumping in a recent table the direct way
that is all nice
but the main benefit of RBL's is always ignored:
- centralized
- no log parsing at all
- honeypot data are "delivered" to any host
- it's cheap
- it's easy to maintain
- it don't need any root privileges anywhere
we have a small honeypot network with a couple of ipranges detecting mass port-scans and so on and this data are available *everywhere*
so if some IP hits there it takes 60 seconds and any service supportings DNS blacklists can block them *even before* the bot hits the real mailserver at all
centralize may also work with syslog filters acting to a "grand" firewall/loadbalancers in front of all hosts, anyway depending to setups combine many solutions may goal the best results, your solution is fine too. At the end everything is fine what solves the task, and the admin has to decide which way he want to go
MfG Robert Schetterer
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein