Menu
▾
▴
Re: [Sshguard-users] configuration options
|
From: Kevin Z. <kev...@gm...> - 2016-02-17 00:01:37
|
On 02/16/2016 00:53, Christophe Meessen wrote: > I'm confronted to such use case. An attacker has a script that tries to > authenticate on my port 25 (Postfix) with a few minutes interval between > each attempts. Although authentication on port 25 is not allowed he > keeps hitting his head on the door. I wish it was possible to ban these > attempts with a lower threshold and much longer period than the default. > Fail2ban doesn't allow that. The strategy I'm thinking about is to keep timestamps of the last few, say, 6 failed attempts from each address. Those with highly regular intervals between attacks would be considered attackers, as should those with very little delay between attempts. I would have to collect some data and see if this is viable, though. > But this is not as bad as the one trying many hundreds of time per > minutes. Fail2ban handles these well. > I must admit I'm currently using fail2ban, but I keep an eye on sshguard. Thanks for your suggestions! Best, Kevin -- Kevin Zheng kev...@gm... | ke...@kd... | PGP: 0xC22E1090 |
