Improve company productivity with a Business Account.Sign Up

x
?
Solved

The endless cat and mouse game of fail2ban

Posted on 2016-10-10
4
Medium Priority
?
243 Views
Last Modified: 2016-10-12
Hello!

I'm not sure if it's a problem to begin with, but the situation is that run Postfix as a mail server on my computer. Almost a year ago because of numerous failed login attempts I installed fail2ban. It does its job. But it's kinda strange for my taste. It bans an IP, after a few hours unbans it, then after half an hour bans again etc. etc. Some bots try to log in once every 20 minutes to escape the ban.

The load average of the server seems to be fine. Approx 0,20

So my question is... Does it all fall within something normal or it requires some action on my part? Or a login attempt once in 20 minutes is something so light for the server so it's best to ignore it?
0
Comment
Question by:papa kota
  • 2
4 Comments
 
LVL 33

Expert Comment

by:Dr. Klahn
ID: 41837670
Depends on how much loading there is on your incoming SMTP.  If you're getting one attempt every 20 minutes overall, the loading is negligible though the annoyance is not.  But if 200 different IPs are each making one attempt every 20 minutes, then it's worth addressing.  It's possible that if you crank up the ban length, some of the bots will get wise and leave the site alone.

I found the following helpful:

Install iptables, add the geoip module, and drop everything from the Middle East, Russia and the Balkans, South America, Africa, and the Far East.  Alternatively, permit only from the US, Canada, and European countries.  This cut spam issues by well over 90% on my system, and it drops the connect before it gets to postfix, so no postfix log entries.

But the other side of that is, nobody in the banned areas will ever be able to contact you by email for any reason, valid or not.

(But just cutting out China, Russia, Korea and the Balkans will kill about 50% of attempts, and it's unlikely you'll have any wanted email from there.)
0
 

Author Comment

by:papa kota
ID: 41837705
Yeah, that's a great advice to cut out Russia, especially considering that I'm sitting just outside Moscow :-)

Actually, so far it was a login attempt every 15 to 20 minutes from just one IP. I checked it and it's Seichelles. Something tells me that it's probably a fake IP (I don't know if bots can do that).

Of course, I can set findtime to something like 2 hours and then the fourth attempt would be within 90 minutes and it would trigger the ban. Though I don't know if it's a good idea overall?
0
 
LVL 33

Expert Comment

by:Dr. Klahn
ID: 41837708
Ha!  Didn't notice that.  But, "pravda nyet izvestia."
0
 
LVL 32

Accepted Solution

by:
serialband earned 2000 total points
ID: 41839441
Fail2ban watches the logs for activity, then runs iptables on problem entries.  It's set to time intervals you specify in the config file.  You can set a longer block and that may deter the attackers.  If not, I suggest that you set a permanent iptables ban directly on those specific IPs that keep bothering you.


  iptables -A INPUT -s Offending_IP_ADDRESS -j DROP

Then you save your iptables rules
either
  /sbin/service iptables save
or
  iptables-save > <filename>

https://www.centos.org/docs/5/html/5.1/Deployment_Guide/s1-iptables-saving.html
0

Featured Post

A proven path to a career in data science

At Springboard, we know how to get you a job in data science. With Springboard’s Data Science Career Track, you’ll master data science  with a curriculum built by industry experts. You’ll work on real projects, and get 1-on-1 mentorship from a data scientist.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Virtualization software lets you run different versions of Windows, Ubuntu Linux and other versions of Linux all at the same time, rather than running each one directly from your computer's hard drive.
Cron is one of the most popular and basic utilities found on Unix systems. Combined with other tools, cron makes it exceptionally easy to automate a broad range of tasks on your server.
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

606 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question