On Mon, Aug 05, 2019 at 09:31:56AM +0100, Giles Coochey wrote: > > On 05/08/2019 09:18, Pete Biggs wrote: > > > I've found the default 10min bans hardly bother some attackers. > > > So I've added the "recidive" feature of fail2ban. After the > > > second 10min ban, the attacker is blocked for 1 week. > > > > > Oh definitely. My systems are set to "3 bans and you're out" - a > > recidive ban is permanent after three other bans. I have large parts > > of some subnets in my ban list as attackers just move from one host to > > another as they get banned. > > > > P. > > > I worked for a company some time back that had an association with a South > African company who wanted to host some infrastructure in our data centre, > the network admin there wanted a specific configuration for outbound source > NAT from a certain host that would scroll through a list of source NAT IP > addresses (think a whole /24) for every connection attempt, pretty sure it > was for sending unsolicited emails, in any case the association with that > company didn't last and I took redundancy after less than a year there. Now that would be a single firewall rule and a kernel ipset. jl -- Jon H. LaBadie jon at jgcomp.com 11226 South Shore Rd. (703) 787-0688 (H) Reston, VA 20190 (703) 935-6720 (C)