Differences

This shows you the differences between two versions of the page.

--- howto:fail2ban [2020/07/02 22:59] – add rules for hack / spam logs ragnarok
+++ howto:fail2ban [2023/07/25 15:36] (current) – [Use Fail2Ban on GNU/Linux to block botnet's attacks] nick young
@@ Line 25: / Line 25: @@
 maxretry = 3
 findtime = 21600
+bantime = 21600
+[sbbs-ddos]
+enabled  = true
+filter   = sbbs-ddos
+action   = iptables-allports[name=SBBS-ddos, protocol=all]
+logpath  = /var/log/sbbs.log
+maxretry = 8
+findtime = 600
 bantime = 21600
@@ Line 65: / Line 74: @@
 failregex = Bad password from: <HOST>
             Throttling suspicious connection from: <HOST>
+ignoreregex =
+</code>
+Filter for ddos (/etc/fail2ban/filter.d/sbbs-ddos.conf)
+<code>
+[INCLUDES]
+before = common.conf
+[Definition]
+failregex = !Maximum concurrent connections without login (.*) reached from host: <HOST>
 ignoreregex =
 </code>
@@ Line 86: / Line 105: @@
 failregex = .* !TEMPORARY BAN of .* <HOST> .*
             SMTP BLACKLISTED SERVER on .* \(.*\)\: .* \[<HOST>\]
+            ^.*\[<HOST>\].*\!TEMPORARY BAN.*$
 ignoreregex =
 </code>
@@ Line 105: / Line 125: @@
 Status
 |- Number of jail:	7
-`- Jail list:	asterisk, nginx-botsearch, *sbbs-hack, *sbbs-main, *sbbs-smtp, *sbbs-spam, sshd
+`- Jail list:	asterisk, nginx-botsearch, *sbbs-hack, *sbbs-main, *sbbs-smtp, *sbbs-spam, *sbbs-ddos, sshd
 </code>
@@ Line 135: / Line 155: @@
 RETURN     all  --  0.0.0.0/0            0.0.0.0/0
+Chain fail2ban-SBBS-ddos (1 references)
+target     prot opt source               destination
+REJECT     all  --  110.53.221.190       0.0.0.0/0            reject-with icmp-port-unreachable
+RETURN     all  --  0.0.0.0/0            0.0.0.0/0
 </code>
 ===== See Also =====
   * [[:howto:|howto index]]

Trace:

Differences

Navigation

Search

Toolbox