From: Lee C. <ja...@le...> - 2012-01-15 19:32:57
|
On 01/15/2012 02:03 PM, cielo rosso wrote: > I'm just starting out with fail2ban, so I might be missing something > obvious. > > The goal: creating a failregex for SYN attacks on our web server which > are of the type: > [13/Jan/2012:15:08:08 -0800] 1.2.3.4 - - "GET / HTTP/1.0" 200 16941 > "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US)" That looks like a perfectly acceptable GET request, unless you want to 'alert' on HTTP 1.0 being used ? A SYN attack would not issue a GET request....as the GET request is issued far beyond the initial TCP handshake the SYN attack is attacking. |