Hello fellow admins. Over the last month the number of attacks against my network has steadily increased and yesterday I was hit by over 280 IPs within a 20 minute period (all attacks against my mail server). I have systems like fail2ban in place to help stop attacks, but I'm now considering some sort of port scan detector. Maybe I can stop the attack before it really begins.
My network isn't very complex. My Linux router that handles all iptables is using shorewall to build the rules, and depending on the port, it routes to a couple different servers. I'm just looking around right now, mostly fishing for ideas and suggestions. I need something that will output an offending IP into a log file for fail2ban to monitor.
I maybe going after the wrong thing here, maybe I need to implement something better than a simple scan detector. What would be your suggestion on the best way to solve this issue? I'm looking for a software based solution. I'm not up for buying any new equipment. Thanks.
[link][9 comments]