Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 223
  • Last Modified:

The endless cat and mouse game of fail2ban

Hello!

I'm not sure if it's a problem to begin with, but the situation is that run Postfix as a mail server on my computer. Almost a year ago because of numerous failed login attempts I installed fail2ban. It does its job. But it's kinda strange for my taste. It bans an IP, after a few hours unbans it, then after half an hour bans again etc. etc. Some bots try to log in once every 20 minutes to escape the ban.

The load average of the server seems to be fine. Approx 0,20

So my question is... Does it all fall within something normal or it requires some action on my part? Or a login attempt once in 20 minutes is something so light for the server so it's best to ignore it?
0
papa kota
Asked:
papa kota
  • 2
1 Solution
 
Dr. KlahnPrincipal Software EngineerCommented:
Depends on how much loading there is on your incoming SMTP.  If you're getting one attempt every 20 minutes overall, the loading is negligible though the annoyance is not.  But if 200 different IPs are each making one attempt every 20 minutes, then it's worth addressing.  It's possible that if you crank up the ban length, some of the bots will get wise and leave the site alone.

I found the following helpful:

Install iptables, add the geoip module, and drop everything from the Middle East, Russia and the Balkans, South America, Africa, and the Far East.  Alternatively, permit only from the US, Canada, and European countries.  This cut spam issues by well over 90% on my system, and it drops the connect before it gets to postfix, so no postfix log entries.

But the other side of that is, nobody in the banned areas will ever be able to contact you by email for any reason, valid or not.

(But just cutting out China, Russia, Korea and the Balkans will kill about 50% of attempts, and it's unlikely you'll have any wanted email from there.)
0
 
papa kotaAuthor Commented:
Yeah, that's a great advice to cut out Russia, especially considering that I'm sitting just outside Moscow :-)

Actually, so far it was a login attempt every 15 to 20 minutes from just one IP. I checked it and it's Seichelles. Something tells me that it's probably a fake IP (I don't know if bots can do that).

Of course, I can set findtime to something like 2 hours and then the fourth attempt would be within 90 minutes and it would trigger the ban. Though I don't know if it's a good idea overall?
0
 
Dr. KlahnPrincipal Software EngineerCommented:
Ha!  Didn't notice that.  But, "pravda nyet izvestia."
0
 
serialbandCommented:
Fail2ban watches the logs for activity, then runs iptables on problem entries.  It's set to time intervals you specify in the config file.  You can set a longer block and that may deter the attackers.  If not, I suggest that you set a permanent iptables ban directly on those specific IPs that keep bothering you.


  iptables -A INPUT -s Offending_IP_ADDRESS -j DROP

Then you save your iptables rules
either
  /sbin/service iptables save
or
  iptables-save > <filename>

https://www.centos.org/docs/5/html/5.1/Deployment_Guide/s1-iptables-saving.html
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now