April 26, 2022 12:16 PM, "Mauricio Tavares" <raubvo...@gmail.com> wrote:
> Please explain how certificate authentication is, as you said, > 100% efficient against brute-force attacks. No password = no possible brute-forced password. > If these 100s ou 1000s of IP addresses are sending each thousands of > connection requests a minute, isn't this a DDoS? No it's probably not. And you are trying to change the question here, so that it matches the solution you advocate for. The day you'll experience a real DDoS, I'm pretty sure F2B will see absolutely nothing about it. You don't need to target an open port/service to DDoS a server, 99,99% of the time it's just a flood of packets putting your firewall on it's knees. To put a nice example on the table: last time we had a huge DDoS at work, it was in 2014, we were flooded with peaks at more than 15Gbps of traffic (syn flood, ntp, etc.). It was intermittent and lasted about 3 weeks. Our operator had to drop/null route all traffic from outside Europe during 11 days to protect us. And it was the attack of just one angry guy through a pay-for-use DDoS service. Brute-forcing passwords/account as nothing to do with DDoS. Purpose of brute(forcing password is gaining access to a service in order to exploit it (steal data, send spam, etc.). Purpose of DDoS is to render the service unavailable. Unless you run postfix on a 10 years old Raspberry, it can handle the load. But again, I'm not rejecting Fail2Ban, as it can have some value. I'm just saying it's not a solution to modern brute-force attack on passwords/accounts. And on larger email systems it can even cost you more time in support (like when you get a legitimate shared IP address blacklisted). patpro
