Menu
▾
▴
Re: [Fail2ban-users] Blocking a large numbers of IPs
|
From: Gregory S. <gr...@sl...> - 2013-09-15 23:43:00
|
CB> Hello Fabian, CB> Thanks for the reply. CB> I fail to see how knowing the frequency of repeat offending IPs helps CB> me. CB> I have sometimes determined if the offending IP is still on-line. Some CB> are most aren't. None nmap! CB> The apache logs show the offenders user agent, seem like "Mozilla/5.0 CB> (Macintosh; Intel Mac OS X 10.7; rv:22.0) Gecko/20100101 Firefox/22.0" CB> is popular. CB> Some of the request strings are huge, having the CB> GET...'?action=register' concatenated many times with different CB> '+garbage' strings. Just looks like a brute force on many different CB> names! CB> Did I miss something? CB> Charles Bradshaw I'm no expert here, but this *looks* to me to be a distributed spam attack. IMO, this does NOT fit an IP block very well. 1) There's a botnet that's being used to attempt these, and are simply "innocent" users machines who have been infected with spyware/malware. You could easily be blocking 50K machines. While this may not bother you (as you never expect to actually see one of these machines as a visitor/customer) - the churn rate on infected machines will likely be very high. So, over time you could be blocking hundreds of thousands of machines - and with no real effect/benefit. i.e. You'll be expending huge levels of resources to block a few annoying machines, but the number of "new" botnet members is essentially limitless for the "attacker" and the benefit from blocking one machine from making new attempts is rather small. If you maintain these forever, it's highly likely you'll start impacting visitors that might legitimately visit your site. [And this doesn't really take into consideration clients on dynamic IP's who will have one IP blocked only to move to another, and leave the "old" IP still blocked with a non-hostile machine on it now.] Essentially, fail2ban works for non-distributed "attacks" - where one attacker at a single IP will make many attempts. It's rather terrible, IMO, for a distributed attack where one attacker will make a few attempts via many thousands of machines. The latter situation is rather harder to address. IMO, captchca's or other methods are a lot more applicable than fail2ban. If I were in your shoes, I'd simply probably try to ignore the attempts [at least via fail2ban] and harden the site so successes would be very hard earned. [And the likelihood they succeed is pretty low anyway.] I'd guess something like manual subscription approval, captchca's etc, are more likely to bring satisfaction, though at increased admin time, and resources. These approaches tend to have better returns on investment than fail2ban for your situation, IMO. [I'm not sure what BB you're running, but wordpress etc, PHPBB etc all have tools that work pretty well for the problems that typically impact such sites and IMO, you'll fare better using those tools. You may *feel* better being able to shake your ban-hammer at the botnet, but I don't think you'll actually *be* in a better place.] But that's all my opinion and you're more than welcome to ignore it. -Greg |