I have set up fail2ban on ubuntu Linux web server 16.04 lts. I have set it up so that the denied ip (jailed) is always remembered and the same for the iptable - it is set up to remember the denied address. I did this for no other reason to see how many attempts are made to break in. I could have set it up to not remember these IP addresses and just give them a jail term of 24 hours. Maybe I was too paranoid about the hackers out there trying to break in. I have seen the number of attempts to break in (based on the rules set up) grow daily by 100-150 attempts, all unique IP addresses. Most of these IP addresses are from outside of the US. I have to believe that at some point the count will reach several thousand bad IP addresses that I have marked as do not allow access. I am concerned that the server can get over loaded and degraded to the point of it not being useful. Are there some good practices to follow that I should implement with fail2ban and iptables to deal with these bad IP addresses who are trying to break in?
Update: I have set up fail2ban and created the following jail:
##To stop DOS attack from remote host.
[http-get-dos]
enabled = true
port = http,https
filter = http-get-dos
logpath = /var/log/apache*/access.log
maxretry = 1
findtime = 86400
bantime = -1
ignoreip = 111.222.333.12
## action = iptables[name=HTTP, port=http, protocol=tcp]
banaction=iptables-ipset-proto4
I have ipset and iptables configured as follows:
sudo iptables -I INPUT -m set --match-set f2b-http-get-dos src -j DROP
sudo iptables -I FORWARD -m set --match-set f2b-http-get-dos src -j DROP
When I query the ipset set name, I see the members listed.
When I query iptables I see the set name.
How do I know and confirm that the banned IP addresses that are listed in the set named in ipset are being firewalled by iptables?
