[squid-users] Detecting clients flooding squid with failed request

Eliezer Croitoru eliezer at ngtech.co.il
Mon Aug 3 10:03:46 UTC 2015


Hey Dan,

It's pretty simple to write this rule since its a counted+pattern match 
and that's it nothing more.
If it fits your need you can add a send mail target instead of a "ban" one.

Eliezer

On 03/08/2015 10:25, Dan Charlesworth wrote:
> Thanks Antony.
>
> Fail2ban looks like a viable option though we would still need to write a regex definition to target this sort of behaviour. Their squid example targets aggressive hosts where my preference would be to target aggressive applications (that could be running on more than one host).
>
> https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/squid.conf
>
> In my case “raise the alarm” would probably mean send an email to somebody and there are lots of ways to do that programmatically.



More information about the squid-users mailing list