[bronson]

Now that botnets are brute forcing from thousands of unique ips, fail2ban doesn’t offer much on my servers anymore. I‘ve stopped installing it.

[jldugger]

If the attackers are using botnets to distribute the load across IPs, then perhaps we need to distribute the detection across IPs: https://www.abuseipdb.com/fail2ban.html

[programbreeding]

I used to manage VoIP systems and VoIPBL[0] was amazing.

"VoIPBL is a distributed VoIP blacklist that is aimed to protects against VoIP Fraud and minimizing abuse for network that have publicly accessible PBX's"

It's very similar to what you linked but is targeted to catching VoIP abuse.

[0] https://voipbl.org/

[hn_acc_2]

Just curious, what problems does fail2ban suffer with thousands of unique ips? (A crowded iptables I guess...)

I still use it with a super oppressive jail time and few retries, with a few whitelisted IPs and it seems to work ok.

[jldugger]

I think the concern is a botnet with n IPs is that fail2ban tracks individual IPs, so if you have any kind of grace period before bannination, they get a linear speedup of n, and if there's an expiration period, get to try n times harder than a single bored script kiddie.

Worse, from an economic perspective, theres enough hosts listening on port 22 that a bot can try instead while they wait for timeouts, so you're not really imposing a cost on them. If you view running a botnet as a form of multi-armed bandit problem, the best you can really do is limit the economic value by slowing them down a tad versus their many, many other options.

[mobilio]

F2B support subnets: https://github.com/fail2ban/fail2ban/issues/2261

[rtkwe]

I think they're saying it doesn't stop brute force attacks because the botnet will just try with another IP.

[pnutjam]

My logs still show repeated attempts by the same IP. Lots of 1 and 2 tries, but multiple IP's with hundreds or dozens.

Keep forgetting to enable fail2ban.