From: Yaroslav H. <li...@on...> - 2008-12-04 18:09:41
|
imho means like f2b are marginally effective against such attacks -- f2b simply cannot predict set of IPs of the botnet to ban them in advance, so you would see at least few (depending on maxretry parameter) attempts from each IP before it gets banned. That helps a lot (instead of going through a full dictionary of possible login names the bot manages to get through just few) but is not ideal. Alternative additional help might come from banning not a single IP but rather a subnet (tune up action to provide a netmask /24), since it is possible that close by IPs serve a part of the botnet. In general it is not that good idea since it makes it somewhat easier to organize DoS attack against some host if you are in the same network as the target of DoS. I guess, if you are eager to eliminate such attempts completely, you better revert to alternative solutions (knocking, default port number change). On Thu, 04 Dec 2008, Klaus Lehmann wrote: > hi > long time not seen so an agressive attack onto my server. > please look: > this is a report from "logwatch": > Error in PAM authentication: [please, see below] > (its only prenames from "ho" to "hy") > (maybe there are approx 1000 entries per one day. its not very much. > but they are spanned. distributed. I think, they are coming from > very(?) big botnets.) > question to fail2ban_users (me are using this very excellent tool > approx sonce 2 years): > what can we do? > how can f2b react? can we set some special sets for those > circumstances? > in below lines I see no pattern (or better: its not visible for > "me").... > do someone have an idea? -- .-. =------------------------------ /v\ ----------------------------= Keep in touch // \\ (yoh@|www.)onerussian.com Yaroslav Halchenko /( )\ ICQ#: 60653192 Linux User ^^-^^ [175555] |