Am 03.07.2018 um 18:39 schrieb Joel Esler (jesler):
>> On Jul 2, 2018, at 1:17 PM, Reindl Harald <h.rei...@thelounge.net
>> <mailto:h.rei...@thelounge.net>> wrote:
>>
>> on a typical setup freshclam is running once or twice *daily* while a
>> webserver these days can spit out the same small static txt file many
>> thousands of times per seond with zero load
>
> That is not the results we are seeing. There are a LARGE amount of
> people that check for updates once or twice a day, yes. However, we
> have hundreds of thousands of people that check for updates hundreds of
> times a day. We haven't started concentrating on these people yet (our
> biggest offender is one IP that checks 100,000+ times a day), but
> clearly that's excessive. We publish approx 5-6 times a day. So, let's
> say you check 50 times a day.... Clearly, that's enough.
either they are no problem or you do "man iptables"
voila - all new connections which are more than 5 per hour from the same
IP are dropped, i have similar rules for specific ports and max
connections per client for many years now - no rocket science
if one asks 100000 times per day that IP is blocked by hand for at least
2 weeks and if it continues until a well explained excuse comes in and
topic closed
iptables -I INPUT -p tcp -i eth0 ! -s 192.168.196.0/24 -m conntrack
--ctstate NEW -m recent --set --rsource
iptables -I INPUT -p tcp -i eth0 ! -s 192.168.196.0/24 -m conntrack
--ctstate NEW -m recent --update --seconds 3600 --hitcount 5 --rsource
-j DROP
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
