On Thu 16 Aug 2018 at 14:07:02 -0400, cyaiplexys wrote: > On 08/16/2018 01:00 PM, Dave Sherohman wrote: > > On Wed, Aug 15, 2018 at 09:29:58PM -0400, cyaiplexys wrote: > > > Is there a better way to do this? I have a cron job that gathers IP > > > addresses that get more than 1,000 hits from the apache log file and that > > > gets put in the ip.blacklist.perm file. > > > > If (as the filename implies) you want to block these addresses > > permanently, then why are you using a tool designed to manage blocks > > dynamically (fail2ban)? Just use your preferred firewall management > > tool to add a rule to block them outside of fail2ban. > > > > For example, I manage my firewalls with ufw, so I would use 'ufw deny > > from $IP_ADDR'. It takes effect instantly, with no need to restart > > anything, and will be persistent across reboots. > > > > If you don't actually want them to be permanent, then you could instead > > create a fail2ban jail which detects IP addresses which have generated > > 1000 incoming requests to ports 80/443 within the last 60 minutes (or > > whatever timeframe your log analysis script looks at) and bans them for > > a week (or however long you like), without needing to wait for the log > > analysis script to run first. And you can also whitelist certain IPs in > > the jail config, if there are internal service monitoring machines or > > whatever which legitimately generate levels of traffic which would > > normally trigger a ban. > > > > See, that all is way over my head. I don't understand this stuff as I'm > pretty much a total beginner in this. Does Debian and Debian based systems > have the firewall installed and running by default? Are there tutorials on
Debian? No. -- Brian.
