Bob Proulx wrote: > ... distributed attacks such as this they can be quite difficult to > avoid. I started looking in depth last night but unfortunately my > first attemps to mitigate this didn't help significantly.
It looks like I was actually making some headway. I am tweaking fail2ban to detect the IP addresses used in the attack and having it block those addresses. However one danger I am tyring to avoid is blocking valid users. But anyway this is the current block stats at this time. root@vcs0:~# fail2ban-client status nginx-viewvc Status for the jail: nginx-viewvc |- filter | |- File list: /var/log/nginx/access.log | |- Currently failed: 6 | `- Total failed: 66586 `- action |- Currently banned: 1 | `- IP list: ... `- Total banned: 3371 root@vcs0:~# fail2ban-client status nginx-cgit Status for the jail: nginx-cgit |- filter | |- File list: /var/log/nginx/access.log | |- Currently failed: 912 | `- Total failed: 267559 `- action |- Currently banned: 510 | `- IP list: ... `- Total banned: 40454 40454 plus 3371! Some offenders do repeat. A quick scan shows 9428 unique addresses in the attack. The above has only been running overnight. Yet even though it is making headway it is still not agressive enough. Tweaking. Bob
