Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

The endless cat and mouse game of fail2ban

Posted on 2016-10-10
4
Medium Priority
?
203 Views
Last Modified: 2016-10-12
Hello!

I'm not sure if it's a problem to begin with, but the situation is that run Postfix as a mail server on my computer. Almost a year ago because of numerous failed login attempts I installed fail2ban. It does its job. But it's kinda strange for my taste. It bans an IP, after a few hours unbans it, then after half an hour bans again etc. etc. Some bots try to log in once every 20 minutes to escape the ban.

The load average of the server seems to be fine. Approx 0,20

So my question is... Does it all fall within something normal or it requires some action on my part? Or a login attempt once in 20 minutes is something so light for the server so it's best to ignore it?
0
Comment
Question by:papa kota
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 29

Expert Comment

by:Dr. Klahn
ID: 41837670
Depends on how much loading there is on your incoming SMTP.  If you're getting one attempt every 20 minutes overall, the loading is negligible though the annoyance is not.  But if 200 different IPs are each making one attempt every 20 minutes, then it's worth addressing.  It's possible that if you crank up the ban length, some of the bots will get wise and leave the site alone.

I found the following helpful:

Install iptables, add the geoip module, and drop everything from the Middle East, Russia and the Balkans, South America, Africa, and the Far East.  Alternatively, permit only from the US, Canada, and European countries.  This cut spam issues by well over 90% on my system, and it drops the connect before it gets to postfix, so no postfix log entries.

But the other side of that is, nobody in the banned areas will ever be able to contact you by email for any reason, valid or not.

(But just cutting out China, Russia, Korea and the Balkans will kill about 50% of attempts, and it's unlikely you'll have any wanted email from there.)
0
 

Author Comment

by:papa kota
ID: 41837705
Yeah, that's a great advice to cut out Russia, especially considering that I'm sitting just outside Moscow :-)

Actually, so far it was a login attempt every 15 to 20 minutes from just one IP. I checked it and it's Seichelles. Something tells me that it's probably a fake IP (I don't know if bots can do that).

Of course, I can set findtime to something like 2 hours and then the fourth attempt would be within 90 minutes and it would trigger the ban. Though I don't know if it's a good idea overall?
0
 
LVL 29

Expert Comment

by:Dr. Klahn
ID: 41837708
Ha!  Didn't notice that.  But, "pravda nyet izvestia."
0
 
LVL 30

Accepted Solution

by:
serialband earned 2000 total points
ID: 41839441
Fail2ban watches the logs for activity, then runs iptables on problem entries.  It's set to time intervals you specify in the config file.  You can set a longer block and that may deter the attackers.  If not, I suggest that you set a permanent iptables ban directly on those specific IPs that keep bothering you.


  iptables -A INPUT -s Offending_IP_ADDRESS -j DROP

Then you save your iptables rules
either
  /sbin/service iptables save
or
  iptables-save > <filename>

https://www.centos.org/docs/5/html/5.1/Deployment_Guide/s1-iptables-saving.html
0

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
Fine Tune your automatic Updates for Ubuntu / Debian
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question