From: David C. M. <sto...@gm...> - 2012-07-06 14:05:04
|
Hi there. I discovered a serious problem in fail2ban, making it propense to DDoS, and stop banning anymore. Since yesterday, my personal server was under a DNS cache DDoS attack, but despite fail2ban was configured, it was not efectivelly stopping that attack. After some research I discovered the cause, and thus, I am posting it to here providing feedback for it to be fixed. I had fail2ban mailing me with every ban it created. The problem: If it is under a heavy attack, there is little to none upload bandwitdh left for sendmail, and fail2ban waits for sendmail in order to process the next bans. I came to know that because while tailing log files by hand and watching at the number of attacks per second, and watching that my upload bandwidth was exhausted, a ps -Af revealed that sendmail was waiting to finish, and fail2ban only banned 2 or 3 IPs from at least 50 which were participating in that moment. I think this is a very serious issue which needs to be fixed asap, and make it do its actions asynchronously by default. The workarround I used was to modify mail-buffered.conf action to use sendmail, and it successfully banned every IP participating in the event. Yet still, it is annoying since I'd like to receive notification in that moment, rather than waiting to XX different IPs to receive the notification. What about this issue? P.S. I am posting to the list as I could not find official bugzilla to post this there. Thanks, Awaiting feedback, David. |