Am 26.11.2010 01:39, schrieb Stephen Thorne: > On 2010-11-25, Udo Rader wrote: >> Hi, >> >> in the past couple of days we have been somewhat hit by quite a lot of >> brute force SASL related attacks. >> >> I've now adapted fail2ban to catch those attacks, but I am wondering how >> others fight those attacks. >> >> Maybe there is something similar like a RBL for brute force attacks? > > I have some scripts configured to detect and drop these hosts. > > If you're running linux with ipsets compiled properly (some distros do, > some distros don't..) I have a relatively simple configuration that > makes selectively dropping traffic quite easy, and quite painless to do > from scripts. > > # at boot, create blackhole and lan sets: > ipset -N blackhole_ips iptree --timeout 900 > ipset -N lan_nets nethash > ipset -A lan_nets 10.0.0.0/8 # add whatever local nets you need > ipset -A lan_nets 127.0.0.0/8 > # drop anything that's blackholed, whitelisting anything local. > iptables -A INPUT -m set --set blackhole_ips src ! -m set --set lan_nets -j > DROP > > Then you can script whatever you're using to catch brute force attacks > to do this command: > ipset -A blackhole_ips $ip > > Change --timeout above to change how long to drop their traffic for. The > ips will disappear automatically from the blackhole set after the > timeout expires, this is all managed by the netfilter layer in the > kernel so you don't have to run any daemons beyond your log parser. >
i have configured fail2ban with ipset works nice too -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
