On 01/07/13 04:30, Stan Hoeppner wrote: > On 6/28/2013 12:31 PM, John Fawcett wrote: > >> One type of connection which I cannot block in fail2ban are clients that >> try the AUTH command on port 25, where I have disabled it. I got 245 >> connections this morning in the space of 5 minutes and those are the >> ones that got through despite the connection concurrency limit being hit >> 277 times. > > Anvil did its job preventing a DOS condition on smtpd. Even if these > had progressed far enough to be rejected they'd still have not put > significant load on the server. > > Thus the sum total negative impact of this attack on my MX is a bloated > log. For me, personally, it's not worth the hassle to implement > fail2ban simply to keep the log tidy. > > In your case John are you suffering anything more than a bloated log? > Is one extra connect/second causing problems? >
I installed fail2ban more out of concerns for security across a number of services primarily sshd, but then extended to others including postfix. I then became interested in using it to block people hammering the server. I am not sure how much hammering it actual stops since I don't generally see it Only a failure of fail2ban in this case enabled me to investigate further. The additional connection load in this case is probably irrelevant, however I still prefer to block because there is no guarantee that spambots will stay within acceptable limits and I prefer to be cautious. John
