Solved

The endless cat and mouse game of fail2ban

Posted on 2016-10-10
4
68 Views
Last Modified: 2016-10-12
Hello!

I'm not sure if it's a problem to begin with, but the situation is that run Postfix as a mail server on my computer. Almost a year ago because of numerous failed login attempts I installed fail2ban. It does its job. But it's kinda strange for my taste. It bans an IP, after a few hours unbans it, then after half an hour bans again etc. etc. Some bots try to log in once every 20 minutes to escape the ban.

The load average of the server seems to be fine. Approx 0,20

So my question is... Does it all fall within something normal or it requires some action on my part? Or a login attempt once in 20 minutes is something so light for the server so it's best to ignore it?
0
Comment
Question by:papa kota
  • 2
4 Comments
 
LVL 23

Expert Comment

by:Dr. Klahn
ID: 41837670
Depends on how much loading there is on your incoming SMTP.  If you're getting one attempt every 20 minutes overall, the loading is negligible though the annoyance is not.  But if 200 different IPs are each making one attempt every 20 minutes, then it's worth addressing.  It's possible that if you crank up the ban length, some of the bots will get wise and leave the site alone.

I found the following helpful:

Install iptables, add the geoip module, and drop everything from the Middle East, Russia and the Balkans, South America, Africa, and the Far East.  Alternatively, permit only from the US, Canada, and European countries.  This cut spam issues by well over 90% on my system, and it drops the connect before it gets to postfix, so no postfix log entries.

But the other side of that is, nobody in the banned areas will ever be able to contact you by email for any reason, valid or not.

(But just cutting out China, Russia, Korea and the Balkans will kill about 50% of attempts, and it's unlikely you'll have any wanted email from there.)
0
 

Author Comment

by:papa kota
ID: 41837705
Yeah, that's a great advice to cut out Russia, especially considering that I'm sitting just outside Moscow :-)

Actually, so far it was a login attempt every 15 to 20 minutes from just one IP. I checked it and it's Seichelles. Something tells me that it's probably a fake IP (I don't know if bots can do that).

Of course, I can set findtime to something like 2 hours and then the fourth attempt would be within 90 minutes and it would trigger the ban. Though I don't know if it's a good idea overall?
0
 
LVL 23

Expert Comment

by:Dr. Klahn
ID: 41837708
Ha!  Didn't notice that.  But, "pravda nyet izvestia."
0
 
LVL 27

Accepted Solution

by:
serialband earned 500 total points
ID: 41839441
Fail2ban watches the logs for activity, then runs iptables on problem entries.  It's set to time intervals you specify in the config file.  You can set a longer block and that may deter the attackers.  If not, I suggest that you set a permanent iptables ban directly on those specific IPs that keep bothering you.


  iptables -A INPUT -s Offending_IP_ADDRESS -j DROP

Then you save your iptables rules
either
  /sbin/service iptables save
or
  iptables-save > <filename>

https://www.centos.org/docs/5/html/5.1/Deployment_Guide/s1-iptables-saving.html
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now