Am 08.06.2014 18:27, schrieb Joe Laffey: > On Sun, 8 Jun 2014, li...@rhsoft.net wrote: >> Am 08.06.2014 17:18, schrieb Joe Laffey: >>> On Sun, 8 Jun 2014, Kai Krakow wrote: >>> >>>> Noel Jones <njo...@megan.vbhcs.org> schrieb: >>>> >>>> But I want to (automatically) block the suspicious networks and not first >>>> block all then whitelist the known-good. >>> >>> Not sure I completely understand the issue, but is this something where you >>> could use fail2ban to monitor your logs >>> in real time and autoban via iptables any ip that had failed logins? You >>> could whitelist your own ip range so they >>> never get bannned regardless. >> >> the idea of using a RBL is that you can setup your own honeypot >> like i did last weekend, feed your own RBL and most likely get >> only real bad bots and *before* they ever touch your machine >> >> our honeypot ist using free public IP's and listens on every >> common port writing every connecting IP into a RBL >> >> within a week 40000 client IP's and 15%-20% don't expire >> after the configured 7 days because they come alaways back >> >> you can assume no customer ever will touch the honeypot > > Could you possibly set up a honeypot that feeds its logs via syslogging to > your main server... then use fail2ban to > ban ips from that log as well? You could even used separate regexes that > matched only logs from the honeypot and > have a much greater ban time on those. > > I do see the speed advantage to an RBL, and we used to run one that was > mainly manually set up (using djbdns's > rbl). I have just fallen in love with the auto operation of tools like > fail2ban. > > Either way, the honeypot is a good idea to catch some known spammers. Though > are we talking about spammers trying > to guess SASL passwords, or ones that already have account credentials, or > open relays? > > Note that I believe fail2ban could be setup with custom regexps to be used as > a rate limiting tool for sending mail > with valid credentials. Perhaps not the best solution for that, as it > completely blocks the ip, but it would be > automatic.
surely you could do a lot of things but why setup fail2ban at all if you have no sshd on standard ports and already a hyperfast "rbldnsd" running which scales over more than one server without touch any configuration frankly you can even use your RBL with web application firewalls http://blog.modsecurity.org/2010/09/advanced-topic-of-the-week-real-time-blacklist-lookups.html
