Solved

The endless cat and mouse game of fail2ban

Posted on 2016-10-10
4
146 Views
Last Modified: 2016-10-12
Hello!

I'm not sure if it's a problem to begin with, but the situation is that run Postfix as a mail server on my computer. Almost a year ago because of numerous failed login attempts I installed fail2ban. It does its job. But it's kinda strange for my taste. It bans an IP, after a few hours unbans it, then after half an hour bans again etc. etc. Some bots try to log in once every 20 minutes to escape the ban.

The load average of the server seems to be fine. Approx 0,20

So my question is... Does it all fall within something normal or it requires some action on my part? Or a login attempt once in 20 minutes is something so light for the server so it's best to ignore it?
0
Comment
Question by:papa kota
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 27

Expert Comment

by:Dr. Klahn
ID: 41837670
Depends on how much loading there is on your incoming SMTP.  If you're getting one attempt every 20 minutes overall, the loading is negligible though the annoyance is not.  But if 200 different IPs are each making one attempt every 20 minutes, then it's worth addressing.  It's possible that if you crank up the ban length, some of the bots will get wise and leave the site alone.

I found the following helpful:

Install iptables, add the geoip module, and drop everything from the Middle East, Russia and the Balkans, South America, Africa, and the Far East.  Alternatively, permit only from the US, Canada, and European countries.  This cut spam issues by well over 90% on my system, and it drops the connect before it gets to postfix, so no postfix log entries.

But the other side of that is, nobody in the banned areas will ever be able to contact you by email for any reason, valid or not.

(But just cutting out China, Russia, Korea and the Balkans will kill about 50% of attempts, and it's unlikely you'll have any wanted email from there.)
0
 

Author Comment

by:papa kota
ID: 41837705
Yeah, that's a great advice to cut out Russia, especially considering that I'm sitting just outside Moscow :-)

Actually, so far it was a login attempt every 15 to 20 minutes from just one IP. I checked it and it's Seichelles. Something tells me that it's probably a fake IP (I don't know if bots can do that).

Of course, I can set findtime to something like 2 hours and then the fourth attempt would be within 90 minutes and it would trigger the ban. Though I don't know if it's a good idea overall?
0
 
LVL 27

Expert Comment

by:Dr. Klahn
ID: 41837708
Ha!  Didn't notice that.  But, "pravda nyet izvestia."
0
 
LVL 29

Accepted Solution

by:
serialband earned 500 total points
ID: 41839441
Fail2ban watches the logs for activity, then runs iptables on problem entries.  It's set to time intervals you specify in the config file.  You can set a longer block and that may deter the attackers.  If not, I suggest that you set a permanent iptables ban directly on those specific IPs that keep bothering you.


  iptables -A INPUT -s Offending_IP_ADDRESS -j DROP

Then you save your iptables rules
either
  /sbin/service iptables save
or
  iptables-save > <filename>

https://www.centos.org/docs/5/html/5.1/Deployment_Guide/s1-iptables-saving.html
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
CENTOS DHCP Server / PXE/TFTP 14 216
VMware Tools Install On Linux Problem 3 103
Samba 4, Users Permission, 5 68
Setup Ubuntu 16.04 to use LDAP for user login and authentication 2 156
Using 'screen' for session sharing, The Simple Edition Step 1: user starts session with command: screen Step 2: other user (logged in with same user account) connects with command: screen -x Done. Both users are connected to the same CLI sessio…
SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question