On Sat, Aug 03, 2019 at 04:50:05PM +0100, Giles Coochey wrote:> > On 02/08/2019 19:38, Jon LaBadie wrote: > > On Fri, Aug 02, 2019 at 10:19:49AM -0400, mark wrote: > > > Fred Smith wrote: > > > > On Fri, Aug 02, 2019 at 09:28:23AM -0400, mark wrote: > > > <MVNCH> > > I've been using fail2ban for some time, I have a number of ports open to the > Internet - SSH, SMTP, IMAPS, HTTP and HTTPS on my external subnet. > > This thread made me look at how fail2ban was doing, and I noticed that it > wasn't particularly working too well for SSH, as I have turned off password > authentication, so I edited the filters a little, and found it started > filtering some more IPs. I found on my firewall that there were something > like 500 active connection states to SSH - it looked like a scanning tool > was just hanging and sending many connections, the same thing for about > three remote IPs - I put a manual block on these at the firewall. > > The firewall has a block feature, which allows me to enter URLs which point > to lists of IPs (Blocklists) and block traffic from those IPs at the > firewall. > > It's designed to use these types of IP feeds: http://iplists.firehol.org/ > > Well, there's nothing stopping me running a cron-job on my Centos boxes to > do the following: > > iptables -L -n | awk '$1=="REJECT" && $4!="0.0.0.0/0" {print $4}' > > /tmp/banned > > I can then transfer the banned file to a web-server and block the bad IP > addresses completely from my network. I like this as if a system is > brute-forcing my SSH server, I can now block it from all resources on the > network, and stop the attempts even reaching the internal hosts.I've found the default 10min bans hardly bother some attackers. So I've added the "recidive" feature of fail2ban. After the second 10min ban, the attacker is blocked for 1 week. jon -- Jon H. LaBadie jon at jgcomp.com 11226 South Shore Rd. (703) 787-0688 (H) Reston, VA 20190 (703) 935-6720 (C)
On 05/08/2019 08:50, Jon LaBadie wrote:> > I've found the default 10min bans hardly bother some attackers. > So I've added the "recidive" feature of fail2ban. After the > second 10min ban, the attacker is blocked for 1 week. >Interesting, didn't know about that feature, but, oh, I just generally ban for a whole week regardless, yes, I realise that a typo might? set it off for a actual user, but I have other methods of entry to unban if that happens, and we have a number of whitelisted IPs that cover most things like that for most use cases, and a VPN within the whitelist that can be used if the public services get locked out.
> > I've found the default 10min bans hardly bother some attackers. > So I've added the "recidive" feature of fail2ban. After the > second 10min ban, the attacker is blocked for 1 week. >Oh definitely. My systems are set to "3 bans and you're out" - a recidive ban is permanent after three other bans. I have large parts of some subnets in my ban list as attackers just move from one host to another as they get banned. P.
On 05/08/2019 09:18, Pete Biggs wrote:>> I've found the default 10min bans hardly bother some attackers. >> So I've added the "recidive" feature of fail2ban. After the >> second 10min ban, the attacker is blocked for 1 week. >> > Oh definitely. My systems are set to "3 bans and you're out" - a > recidive ban is permanent after three other bans. I have large parts > of some subnets in my ban list as attackers just move from one host to > another as they get banned. > > P. >I worked for a company some time back that had an association with a South African company who wanted to host some infrastructure in our data centre, the network admin there wanted a specific configuration for outbound source NAT from a certain host that would scroll through a list of source NAT IP addresses (think a whole /24) for every connection attempt, pretty sure it was for sending unsolicited emails, in any case the association with that company didn't last and I took redundancy after less than a year there.
On Mon, Aug 05, 2019 at 09:00:23AM +0100, Giles Coochey wrote:> > On 05/08/2019 08:50, Jon LaBadie wrote: > > > > I've found the default 10min bans hardly bother some attackers. > > So I've added the "recidive" feature of fail2ban. After the > > second 10min ban, the attacker is blocked for 1 week. > > > Interesting, didn't know about that feature, but, oh, I just generally ban > for a whole week regardless,Ahh, but with recidive, the ban and unban are automatic. jl -- Jon H. LaBadie jon at jgcomp.com 11226 South Shore Rd. (703) 787-0688 (H) Reston, VA 20190 (703) 935-6720 (C)