> On Sat, Feb 22, 2014 at 02:16:20PM -0800, Keith Lofstrom wrote: > > 1) The websites I offer from my virtual server are increasingly > > being hammered by exploitbots, sometimes driving the load average > > above 30. Many different sources, I assume virus-infected home > > computers in botnets looking for common weaknesses. What is the > > easiest way to thottle traffic from such machines, or detect > > similar "attack" requests (mysql exploits, for example) and > > blacklist the IP addresses they come from?
On Sat, Feb 22, 2014 at 04:01:36PM -0800, Paul Mullen wrote: > I like fail2ban. You tell it which log files to watch, what patterns > to look for (and/or ignore), and what to do when there's a match. It > comes preconfigured with a large collection of "filters" that will > catch the usual suspects (ssh worms, script kiddies, etc.), and is > easy to extend with custom filters. By default, it uses iptables to > ban any offending IP addresses for a certain period. > > http://www.fail2ban.org/ Late response - I finally got time to fiddle with fail2ban - and it ate my vpn, because of a misconfiguration in a routing file that caused openvpn to throw error messages. Which was a bit painful, because the system I run this on is a virtual that I normally connect to only through that vpn. I fixed the config ( using /sbin/route instead of merely "route" in a config file, but there may be other time bombs lurking, and I can't afford to trigger those at an unplanned time. So, for now, I'll delay implementing fail2ban. However, this did suggest a much better way of dealing with all this. I run a virtual at Rimuhosting, sharing a machine with many other users, in racks of hundreds of similar machines. A probing attack on me or any of my fellow tenants slows down the machine we share, the pipe connecting us into the colo, etc. What if customers could purchase a common defense from Rimuhosting, where the Xen host is doing this packet filtering, sharing exploit data with all the other Xen hosts, reducing bandwidth and compute and storage losses for all the customers choosing the additional service? In addition, Rimuhosting could monitor (optionally) client outbound traffic for exploits, informing customers that their machines might be compromised. Such services should be optional, and might come with additional fees, but I would sign up for them in a heartbeat. Keith -- Keith Lofstrom [email protected] _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
