[wplug-internet] Fail2ban addition
Vance Kochenderfer
vance at happylemur.com
Thu Apr 26 00:50:25 EDT 2018
Vance Kochenderfer wrote:
> I created a fail2ban filter and rule (called mailman-subscribe) to try
> to detect and thwart automated attempts. If a single IP address tries
> to subscribe more than once in a 90-second window, that address is
> firewalled from accessing the HTTP and HTTPS ports for an hour. This
> applies no matter which mailing list the subscription attempt is for (or
> if they are for different lists).
Actually, I added two other rules as well in addition to the above. One
triggers when four subscription attempts are made in a two-hour window,
resulting in a one-hour ban. The other activates a one-day ban if six
attempts are made within a day of each other.
This seems to have had a significant impact. There is no wplug-jobs
related mail stuck in the Postfix mail queue now, and subscription
attempts are down as shown by the data below. (The rules were put in
place on April 11.)
Attempts Date
======== ======
255 Mar 25
171 Mar 26
175 Mar 27
251 Mar 28
153 Mar 29
361 Mar 30
128 Mar 31
119 Apr 01
266 Apr 02
150 Apr 03
32 Apr 04
60 Apr 05
44 Apr 06
36 Apr 07
98 Apr 08
336 Apr 09
253 Apr 10
56 Apr 11
77 Apr 12
17 Apr 13
44 Apr 14
17 Apr 15
57 Apr 16
17 Apr 17
38 Apr 18
33 Apr 19
4 Apr 20
132 Apr 21
72 Apr 22
30 Apr 23
31 Apr 24
25 Apr 25
(Note that the data above is for wplug-jobs subscription attempts only;
during that entire period, only 13 or 0.4% of attempts were made to
subscribe to all other mailing lists.)
It's not perfect by any means, but it does appear to have made a dent.
Vance Kochenderfer | "Get me out of these ropes and into a
vance at happylemur.com | good belt of Scotch" -Nick Danger
More information about the wplug-internet
mailing list