[clamav-users] We STILL cannot reliably get virus updates (since new mirrors)

Reindl Harald h.reindl at thelounge.net
Tue Jul 3 15:59:29 EDT 2018



Am 03.07.2018 um 18:39 schrieb Joel Esler (jesler):
>> On Jul 2, 2018, at 1:17 PM, Reindl Harald <h.reindl at thelounge.net
>> <mailto:h.reindl at thelounge.net>> wrote:
>>
>> on a typical setup freshclam is running once or twice *daily* while a
>> webserver these days can spit out the same small static txt file many
>> thousands of times per seond with zero load
> 
> That is not the results we are seeing.  There are a LARGE amount of
> people that check for updates once or twice a day, yes.  However, we
> have hundreds of thousands of people that check for updates hundreds of
> times a day.  We haven't started concentrating on these people yet (our
> biggest offender is one IP that checks 100,000+ times a day), but
> clearly that's excessive.  We publish approx 5-6 times a day.  So, let's
> say you check 50 times a day....  Clearly, that's enough.

either they are no problem or you do "man iptables"

voila - all new connections which are more than 5 per hour from the same
IP are dropped, i have similar rules for specific ports and max
connections per client for many years now - no rocket science

if one asks 100000 times per day that IP is blocked by hand for at least
2 weeks and if it continues until a well explained excuse comes in and
topic closed

iptables -I INPUT -p tcp -i eth0 ! -s 192.168.196.0/24 -m conntrack
--ctstate NEW -m recent --set --rsource
iptables -I INPUT -p tcp -i eth0 ! -s 192.168.196.0/24 -m conntrack
--ctstate NEW -m recent --update --seconds 3600 --hitcount 5 --rsource
-j DROP




More information about the clamav-users mailing list