Dňa 21. júna 2024 11:50:23 UTC používateľ Alessandro Vesely via mailop <mailop@mailop.org> napísal:
>That db currently holds 2,014,973 records. Rather than ipset or single >iptables rules, the IPs are stored on a Berkeley DB. They get blocked by a >few iptables rules ending in -j NFQUEUE. That passes the packet to a >userspace daemon which consults the database and decides whether to drop the >packet or not. See https://savannah.nongnu.org/projects/ipqbdb/ > >It's much more do-it-yourself than fail2ban. I use fail2ban's bantime increment to incremental bantime with custom action, which on configured repeat count adds IP to "permanent" ipset (currently when bantime reach 60 days). That permanent ipset is daily inspected (by cron job), its counters are stored in sqlite DB and removed after (configurable -- currently 120 days) time of inactivity. Ipset itself allows to process IPv6 in /64 manner, thus no need to worry. While fighting with Submission/IMAP logins i found, that max ipset's timeout (~24 days) is not enough to catch botnet repeating - common repeat interval was ~50-60 days. The only missing part of ipset is, that there is no simple way to notify about adding/removing items to save its current state on change, thus i save it at regular interval... BTW, that system reveals, that most of IPs does "short time" attempts, not many IPs ends in that permanent (from time when login attacks moved to you ;-) ) block and only relative small number of entries is in it more than 270 days. On MX the oldes entry is blocked for 380 days, with last attempt at 2024-03-28. On MSA the oldest entry is blocked for 490 days with last attempt ~7 days ago, thus it continues. The webserver (and scanners) is another storry... regards -- Slavko https://www.slavino.sk/ _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
