[PLUG] network traffic shaping for servers

Paul Mullen pm at nellump.net
Sun Feb 23 00:01:36 UTC 2014


On Sat, Feb 22, 2014 at 02:16:20PM -0800, Keith Lofstrom wrote:
> 1) The websites I offer from my virtual server are increasingly
> being hammered by exploitbots, sometimes driving the load average
> above 30.  Many different sources, I assume virus-infected home
> computers in botnets looking for common weaknesses.  What is the
> easiest way to thottle traffic from such machines, or detect 
> similar "attack" requests (mysql exploits, for example) and
> blacklist the IP addresses they come from?

I like fail2ban.  You tell it which log files to watch, what patterns
to look for (and/or ignore), and what to do when there's a match.  It
comes preconfigured with a large collection of "filters" that will
catch the usual suspects (ssh worms, script kiddies, etc.), and is
easy to extend with custom filters.  By default, it uses iptables to
ban any offending IP addresses for a certain period.

  http://www.fail2ban.org/


-- 
Paul Mullen



More information about the PLUG mailing list