When the firewall sees something it considered a attack it blocks the IP if the attack continues from multiple addresses and blocking does not stop it then it drops the server into a blackhole and only a manual intervention or 24 hours will bring it back up.
Its very common for LR to be attacked that's why we have very aggressive firewalls.
@omnipotens Do multiple attacks seem to come from contiguous IP space -- CIDR blocks or ASNs?
@dredmorbius more from ASN it's really all over the place and all kind of attacks. Most are just normal internet crap but we do get targeted at times. The firewall rarely ever drops to blackhole but does happen.
The worse is when the DoD hammered on us. My poor firewall had hell trying to keep up and IOps got saturated with logs that was last year.
@omnipotens Any idea who's behind the attack, and what the motivations are?
My logs show background noise, but after fail2ban et c. it's dropped out to manageable levels.
@malin nope, No idea and to be honest until it becomes a issue it's not worth tracing as most is just garbage and the firewall blocks most of them. The firewall is a combination of several programs including fail2ban and snort and other ids working together with my friends magic coding which blocks most of the crap. Then the firewall on LR catches the rest.
Granted LR firewall could be much tighter like we use to have I may rework it later when I get a chance to sit down with it.
Linux Geeks doing what Linux Geeks do..