[SR-Users] pike parameters doup when have dinamyc ip clients and scanners
PICCORO McKAY Lenz
mckaygerhard at gmail.com
Tue Aug 13 22:27:36 CEST 2019
I read documentation for pike usage.. and have a doub.. what it's the
best for very dinamyc ip of my devices.. i mean, i'm just curious of
that very ironic and problematic scenario:
for the scanners i setup fail2ban but only when the scaning are
detecte.. but if i have the pike option how this:
# this it's my setup for pike due the dinamyc ip and devices over the internet:
modparam("pike", "sampling_time_unit", 4)
modparam("pike", "reqs_density_per_unit", 80)
modparam("pike", "remove_latency", 60)
...
route {
if (!pike_check_req()) {
xlog("L_ALERT","ALERT: pike block $rm from $fu (IP:$si:$sp)\n");
exit;
}
...
}
I put the remove latency in 60, so then due are dinamycally must
remian in memory more (due any one will be a possible clilent), just
ban if there are 180 (60*3) request each 4 seconds,
it's a good configuration or maybe i'm wrong please help me!
--
Lenz McKAY Gerardo (PICCORO)
http://qgqlochekone.blogspot.com
More information about the sr-users
mailing list