[PLUG] Fail2ban - Re: network traffic shaping for servers

Sat Mar 8 19:00:31 UTC 2014

> On Sat, Feb 22, 2014 at 02:16:20PM -0800, Keith Lofstrom wrote:
> > 1) The websites I offer from my virtual server are increasingly
> > being hammered by exploitbots, sometimes driving the load average
> > above 30.  Many different sources, I assume virus-infected home
> > computers in botnets looking for common weaknesses.  What is the
> > easiest way to thottle traffic from such machines, or detect 
> > similar "attack" requests (mysql exploits, for example) and
> > blacklist the IP addresses they come from?

On Sat, Feb 22, 2014 at 04:01:36PM -0800, Paul Mullen wrote:
> I like fail2ban.  You tell it which log files to watch, what patterns
> to look for (and/or ignore), and what to do when there's a match.  It
> comes preconfigured with a large collection of "filters" that will
> catch the usual suspects (ssh worms, script kiddies, etc.), and is
> easy to extend with custom filters.  By default, it uses iptables to
> ban any offending IP addresses for a certain period.
> 
>   http://www.fail2ban.org/

Late response - I finally got time to fiddle with fail2ban - and it ate
my vpn, because of a misconfiguration in a routing file that caused 
openvpn to throw error messages.  Which was a bit painful, because the
system I run this on is a virtual that I normally connect to only through
that vpn.  I fixed the config ( using /sbin/route instead of merely "route"
in a config file, but there may be other time bombs lurking, and I can't
afford to trigger those at an unplanned time.  

So, for now, I'll delay implementing fail2ban.  

However, this did suggest a much better way of dealing with all this. 
I run a virtual at Rimuhosting, sharing a machine with many other users,
in racks of hundreds of similar machines.  A probing attack on me or any
of my fellow tenants slows down the machine we share, the pipe connecting
us into the colo, etc.

What if customers could purchase a common defense from Rimuhosting, where
the Xen host is doing this packet filtering, sharing exploit data with all
the other Xen hosts, reducing bandwidth and compute and storage losses for
all the customers choosing the additional service?  In addition, 
Rimuhosting could monitor (optionally) client outbound traffic for 
exploits, informing customers that their machines might be compromised.
Such services should be optional, and might come with additional fees,
but I would sign up for them in a heartbeat.

Keith

-- 
Keith Lofstrom          keithl at keithl.com