I’m not really sure if you understand that F2B is just a set of
scripts wrapped around iptables (a firewall) - but that’s all it is -
the real-work is being done by iptables which can be very effective
against DDoS. Plenty of articles, papers, etc. on this very topic so
your assertion that F2B is ineffective against DDoS or other attacks is
simply false and DOA…
- - -
On 26 Apr 2022, at 4:09, pat...@patpro.net wrote:
April 26, 2022 12:16 PM, "Mauricio Tavares" <raubvo...@gmail.com>
wrote:
Please explain how certificate authentication is, as you said,
100% efficient against brute-force attacks.
No password = no possible brute-forced password.
If these 100s ou 1000s of IP addresses are sending each thousands of
connection requests a minute, isn't this a DDoS?
No it's probably not. And you are trying to change the question here,
so that it matches the solution you advocate for. The day you'll
experience a real DDoS, I'm pretty sure F2B will see absolutely
nothing about it. You don't need to target an open port/service to
DDoS a server, 99,99% of the time it's just a flood of packets putting
your firewall on it's knees.
To put a nice example on the table: last time we had a huge DDoS at
work, it was in 2014, we were flooded with peaks at more than 15Gbps
of traffic (syn flood, ntp, etc.). It was intermittent and lasted
about 3 weeks. Our operator had to drop/null route all traffic from
outside Europe during 11 days to protect us. And it was the attack of
just one angry guy through a pay-for-use DDoS service.
Brute-forcing passwords/account as nothing to do with DDoS. Purpose of
brute(forcing password is gaining access to a service in order to
exploit it (steal data, send spam, etc.). Purpose of DDoS is to render
the service unavailable.
Unless you run postfix on a 10 years old Raspberry, it can handle the
load. But again, I'm not rejecting Fail2Ban, as it can have some
value. I'm just saying it's not a solution to modern brute-force
attack on passwords/accounts. And on larger email systems it can even
cost you more time in support (like when you get a legitimate shared
IP address blacklisted).
patpro
