On 01/07/13 04:30, Stan Hoeppner wrote:
> On 6/28/2013 12:31 PM, John Fawcett wrote:
>> One type of connection which I cannot block in fail2ban are clients that
>> try the AUTH command on port 25, where I have disabled it. I got 245
>> connections this morning in the space of 5 minutes and those are the
>> ones that got through despite the connection concurrency limit being hit
>> 277 times.
> Anvil did its job preventing a DOS condition on smtpd. Even if these
> had progressed far enough to be rejected they'd still have not put
> significant load on the server.
> Thus the sum total negative impact of this attack on my MX is a bloated
> log. For me, personally, it's not worth the hassle to implement
> fail2ban simply to keep the log tidy.
> In your case John are you suffering anything more than a bloated log?
> Is one extra connect/second causing problems?
I installed fail2ban more out of concerns for security across a
number of services primarily sshd, but then extended to
others including postfix.
I then became interested in using it to block people hammering
the server. I am not sure how much hammering it actual stops
since I don't generally see it Only a failure of fail2ban in this
case enabled me to investigate further.
The additional connection load in this case is probably
irrelevant, however I still prefer to block because there is
no guarantee that spambots will stay within acceptable
limits and I prefer to be cautious.