search for: bantim

...mes I think it should ;-) > > My "mistake" was that I had just *one* fail2ban filter for both cases: > "wrong password" and "unknown user". > > Now I have two distinct jails: > The first one just for "wrong password" and here the findtime, bantime, retries > are tolerant to typos. > > And I have a new one just for "unknown user" and here my bantime and findtime > are much bigger and the retries are just '2'. So here I'm much harsher. > I'll keep an eye on my logs and maybe some more twaeking is nece...

...systemctl status fail2ban ? fail2ban.service - Fail2Ban Service Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2017-03-01 00:40:43 PST; 470min ago Docs: man:fail2ban(1) jail.local [DEFAULT] # "bantime" is the number of seconds that a host is banned. bantime = -1 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 300 # "maxretry" is the number of failures before a host get banned. maxretry = 3 [a...

For dovecot 2.1 as per wiki2, is this still valid? noticed a problem before and saw it does seem to be triggering, I use: maxretry = 6 findtime = 600 bantime = 3600 and there was like, 2400 hits in 4 minutes, it is pointing to the correct log file, but I am no expert with fail2ban, so not sure if the log format of today is compatible with the wiki2 entry filter.d/dovecot.conf [Definition] failregex = (?: pop3-login|imap-login): (?:Authentication fai...

...il2ban.jail [8545]: INFO Initiated 'polling' backend 2020-04-09 09:26:13,838 fail2ban.filter [8545]: INFO maxRetry: 1 2020-04-09 09:26:13,838 fail2ban.filter [8545]: INFO encoding: UTF-8 2020-04-09 09:26:13,839 fail2ban.actions [8545]: INFO banTime: 172800 2020-04-09 09:26:13,839 fail2ban.filter [8545]: INFO findtime: 3600 2020-04-09 09:26:13,840 fail2ban.filter [8545]: INFO Added logfile: '/var/log/httpd/ssl_error_log' (pos = 588859, hash = 755a00cfc09ef9b2f76d78cff61ea766) 2020-04-09 09:26:13,840 fail2ban.fi...

Olaf Hopp <Olaf.Hopp at kit.edu> wrote: > And I have a new one just for "unknown user" and here my bantime and findtime > are much bigger and the retries are just '2'. So here I'm much harsher. > I'll keep an eye on my logs and maybe some more twaeking is necessary. Just be careful about typos (like twaeking!): users could simply misspell their username, or get mixed up with some...

...|- Total banned: 0 `- Banned IP list: (1) # cat jail.local [dovecot-pop3imap] enabled = true filter = dovecot-pop3imap action = iptables-multiport[name=dovecot-pop3imap, port="pop3,imap", protocol=tcp] logpath = /var/log/dovecot.log maxretry = 5 findtime = 300 bantime = 3600 ignoreip = 127.0.0.1 127.0.0.0/8 [postfx-sasl] enabled = true filter = postfix-sasl action = iptables-multiport[name=postfix, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp] # sendmail[name=Postfix, dest=you at mail.com] l...

...is: could my filters overlap or interfere with those suggested by you? this is my filter: Contents of /etc/fail2ban/jail.conf: [postfix] # Ban for 10 minutes if it fails 6 times within 10 minutes enabled = true port = smtp,ssmtp filter = postfix logpath = /var/log/mail.log maxretry = 6 bantime = 600 findtime = 600 Contents of /etc/fail2ban/filter.d/postfix.conf: # Fail2Ban configuration file # Author: Cyril Jaquier # $Revision$ [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group n...

...r = samba enabled = true action = iptables-multiport[name=samba, port="135,139,445,137,138", protocol=tcp] mail[name=samba, dest=admin at MYDOMAIN.DE] logpath = /var/log/syslog maxretry = 1 #block after first attempt findtime = 600 #always look at the last 10 minutes bantime = 86400 #24 hour ban [samba] filter = samba enabled = true action = iptables-multiport [name = samba, port = "135,139,445,137,138" protocol = tcp] mail [name = samba, dest=admin at MYDOMAIN.DE] logpath = / var / log / syslog maxretry = 1 #Schon the first attempt is punish...

...xim banip 45.227.253.100 45.227.253.100 [root at ollie2 ~]# fail2ban-client set exim banip 46.232.112.21 46.232.112.21 [root at ollie2 ~]# and the lines are still appearing. Here is my jail.local. (I did also try directly editing jail.conf to update the port commands). [DEFAULT] # set a higher bantime and findtime bantime=3600000 findtime=1200 # set the IP's to ignore / not ban ignoreip = 127.0.0.1/8 10.0.0.0/8 # set max number of attempts maxretry = 3 # set mail receiver destemail = fail2ban at ringways.co.uk sender = fail2ban at ringways.co.uk # enable sending mails, whois and logfile sec...

...not an option for us. Somestimes I think it should ;-) My "mistake" was that I had just *one* fail2ban filter for both cases: "wrong password" and "unknown user". Now I have two distinct jails: The first one just for "wrong password" and here the findtime, bantime, retries are tolerant to typos. And I have a new one just for "unknown user" and here my bantime and findtime are much bigger and the retries are just '2'. So here I'm much harsher. I'll keep an eye on my logs and maybe some more twaeking is necessary. Another interesti...

On Friday 19 April 2019 16:15:32 Kenneth Porter wrote: > On 4/19/2019 5:30 AM, Gary Stainburn wrote: > > I've followed one of the pages on line specifically for installing fail2ban on > > Centos 7 and all looks fine. > > Which page? It would help to see what they advised. > On Friday 19 April 2019 16:15:32 Kenneth Porter wrote: > On 4/19/2019 5:30 AM, Gary Stainburn

Hi, Thanks for the quick follow-ups! Much appreciated. After posting this, I immediately started working on fail2ban. And between my initial posting and now, fail2ban already blocked 114 IPs. I have fail2ban with maxretry=1 and bantime=1800 However, it seems almost all IPs are different, and I don't think I can keep the above settings permanently. Robert, your iptables suggestions are _very_ interesting! However, will they also work on imaps/993, because of the ssl? Thanks for the quick replies! MJ On 07/18/2017 09:52...

I need some help understanding SIP dialog. Some actor is trying to access my server, but I can't figure out what he's trying to do ,or how. I'm getting a lot of these warnings. [May 17 10:08:08] WARNING[1532]: chan_sip.c:4068 retrans_pkt: Retransmission timeout reached on transmission _zIr9tDtBxeTVTY5F7z8kD7R.. for seqno 101 With SIP DEBUG I tracked the Call-ID to this INVITE :

...ts rather than just the ports defined for the jail (in /etc/fail2ban/jail.conf).? You might also choose to remove the "-p <protocol>" spec to block all access instead of just TCP access. ??? [Definition] ??? actionstart = ipset create fail2ban-<name> hash:ip timeout <bantime> ????????????? firewall-cmd --direct --add-rule ipv4 filter <chain> 0 -p <protocol> -m set --match-set fail2ban-<name> src -j <blocktype> ??? actionstop = firewall-cmd --direct --remove-rule ipv4 filter <chain> 0 -p <protocol> -m set --match-set fail2ban...

...8 Jul 2017, dovecot-request at dovecot.org wrote: > Thanks for the quick follow-ups! Much appreciated. After posting this, I > immediately started working on fail2ban. And between my initial posting > and now, fail2ban already blocked 114 IPs. > > I have fail2ban with maxretry=1 and bantime=1800 > > However, it seems almost all IPs are different, and I don't think I can > keep the above settings permanently. Why not? Limited by firewall rules overload? You could probably use a persistent DB, can't you? You can also use a third party RBL that specialized in brute...

Does anyone have the filter strings for Fail2Ban 0.8 to block Dovecot 1.1 login failures? Thanks! Ciao, luigi -- / +--[Luigi Rosa]-- \ If the odds are a million to one against something occurring, chances are 50-50 it will.

Am 18.07.2017 um 22:15 schrieb mj: > Hi, > > Thanks for the quick follow-ups! Much appreciated. After posting this, I > immediately started working on fail2ban. And between my initial posting > and now, fail2ban already blocked 114 IPs. > > I have fail2ban with maxretry=1 and bantime=1800 > > However, it seems almost all IPs are different, and I don't think I can > keep the above settings permanently. > > Robert, your iptables suggestions are _very_ interesting! However, will > they also work on imaps/993, because of the ssl? i guess not, but typical b...

I'm currently using postfix and dovecot, with dovecot authentication (with saslauthd) using mysql for accounts Is there any option available for me to help inhibit/prevent brute-force login attempts? Thx. Rick Rick Steeves http://www.sinister.net "The journey is the destination"

Hi folks, "somehow" similar to the thread "under some kind oof attack" started by "MJ": I have dovecot shielded by fail2ban which works fine. But since a few days I see many many IPs per day knocking on my doors with wron password and/or users. But the rate at which they are knocking is very very low. So fail2ban will never catch them. For example one IP: Jul 25

...%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] logpath = /var/log/asterisk/messages maxretry = 3 findtime = 300 bantime = -1 in filter.d asterisk.conf failregex = ^%(__prefix_line)s%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not suppose...