Displaying 20 results from an estimated 26 matches for "bantime".
2017 Jul 27
1
under another kind of attack
...mes I think it should ;-)
>
> My "mistake" was that I had just *one* fail2ban filter for both cases:
> "wrong password" and "unknown user".
>
> Now I have two distinct jails:
> The first one just for "wrong password" and here the findtime, bantime, retries
> are tolerant to typos.
>
> And I have a new one just for "unknown user" and here my bantime and findtime
> are much bigger and the retries are just '2'. So here I'm much harsher.
> I'll keep an eye on my logs and maybe some more twaeking is neces...
2017 Mar 01
3
fail2ban Asterisk 13.13.1
...systemctl status fail2ban
? fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor
preset: disabled)
Active: active (running) since Wed 2017-03-01 00:40:43 PST; 470min ago
Docs: man:fail2ban(1)
jail.local
[DEFAULT]
# "bantime" is the number of seconds that a host is banned.
bantime = -1
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 300
# "maxretry" is the number of failures before a host get banned.
maxretry = 3
[as...
2013 Oct 04
4
fail2ban
For dovecot 2.1
as per wiki2, is this still valid? noticed a problem before and saw
it does seem to be triggering, I use:
maxretry = 6
findtime = 600
bantime = 3600
and there was like, 2400 hits in 4 minutes, it is pointing to the
correct log file, but I am no expert with fail2ban, so not sure if the
log format of today is compatible with the wiki2 entry
filter.d/dovecot.conf
[Definition]
failregex = (?: pop3-login|imap-login): (?:Authentication
fail...
2020 Apr 09
2
fail2ban firewalld problems with current CentOS 7
...il2ban.jail [8545]: INFO Initiated 'polling' backend
2020-04-09 09:26:13,838 fail2ban.filter [8545]: INFO maxRetry: 1
2020-04-09 09:26:13,838 fail2ban.filter [8545]: INFO encoding: UTF-8
2020-04-09 09:26:13,839 fail2ban.actions [8545]: INFO banTime: 172800
2020-04-09 09:26:13,839 fail2ban.filter [8545]: INFO findtime: 3600
2020-04-09 09:26:13,840 fail2ban.filter [8545]: INFO Added logfile: '/var/log/httpd/ssl_error_log' (pos = 588859, hash = 755a00cfc09ef9b2f76d78cff61ea766)
2020-04-09 09:26:13,840 fail2ban.fil...
2017 Jul 26
1
under another kind of attack
Olaf Hopp <Olaf.Hopp at kit.edu> wrote:
> And I have a new one just for "unknown user" and here my bantime and findtime
> are much bigger and the retries are just '2'. So here I'm much harsher.
> I'll keep an eye on my logs and maybe some more twaeking is necessary.
Just be careful about typos (like twaeking!): users could simply misspell
their username, or get mixed up with some...
2017 Dec 17
1
ot: fail2ban dovecot setup
...|- Total banned: 0
`- Banned IP list:
(1)
# cat jail.local
[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,imap",
protocol=tcp]
logpath = /var/log/dovecot.log
maxretry = 5
findtime = 300
bantime = 3600
ignoreip = 127.0.0.1 127.0.0.0/8
[postfx-sasl]
enabled = true
filter = postfix-sasl
action = iptables-multiport[name=postfix,
port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve",
protocol=tcp]
# sendmail[name=Postfix, dest=you at mail.com]
lo...
2017 Jul 29
1
under another kind of attack
...is: could
my filters overlap or interfere with those suggested by you?
this is my filter:
Contents of /etc/fail2ban/jail.conf:
[postfix]
# Ban for 10 minutes if it fails 6 times within 10 minutes
enabled = true
port = smtp,ssmtp
filter = postfix
logpath = /var/log/mail.log
maxretry = 6
bantime = 600
findtime = 600
Contents of /etc/fail2ban/filter.d/postfix.conf:
# Fail2Ban configuration file
# Author: Cyril Jaquier
# $Revision$
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the
logfile. The
# host must be matched by a group na...
2016 Mar 10
0
[ISC Crosspost] Novel method for slowing down Locky on Samba server using fail2ban
...r = samba
enabled = true
action = iptables-multiport[name=samba, port="135,139,445,137,138",
protocol=tcp]
mail[name=samba, dest=admin at MYDOMAIN.DE]
logpath = /var/log/syslog
maxretry = 1 #block after first attempt
findtime = 600 #always look at the last 10 minutes
bantime = 86400 #24 hour ban
[samba]
filter = samba
enabled = true
action = iptables-multiport [name = samba, port =
"135,139,445,137,138" protocol = tcp]
mail [name = samba, dest=admin at MYDOMAIN.DE]
logpath = / var / log / syslog
maxretry = 1 #Schon the first attempt is punisha...
2019 Apr 29
2
faI2ban detecting and banning but nothing happens
...xim banip 45.227.253.100
45.227.253.100
[root at ollie2 ~]# fail2ban-client set exim banip 46.232.112.21
46.232.112.21
[root at ollie2 ~]#
and the lines are still appearing. Here is my jail.local. (I did also try directly editing jail.conf to update the port commands).
[DEFAULT]
# set a higher bantime and findtime
bantime=3600000
findtime=1200
# set the IP's to ignore / not ban
ignoreip = 127.0.0.1/8 10.0.0.0/8
# set max number of attempts
maxretry = 3
# set mail receiver
destemail = fail2ban at ringways.co.uk
sender = fail2ban at ringways.co.uk
# enable sending mails, whois and logfile sect...
2017 Jul 26
0
under another kind of attack
...not an option for us.
Somestimes I think it should ;-)
My "mistake" was that I had just *one* fail2ban filter for both cases:
"wrong password" and "unknown user".
Now I have two distinct jails:
The first one just for "wrong password" and here the findtime, bantime, retries
are tolerant to typos.
And I have a new one just for "unknown user" and here my bantime and findtime
are much bigger and the retries are just '2'. So here I'm much harsher.
I'll keep an eye on my logs and maybe some more twaeking is necessary.
Another interestin...
2019 Apr 26
5
faI2ban detecting and banning but nothing happens
On Friday 19 April 2019 16:15:32 Kenneth Porter wrote:
> On 4/19/2019 5:30 AM, Gary Stainburn wrote:
> > I've followed one of the pages on line specifically for installing fail2ban on
> > Centos 7 and all looks fine.
>
> Which page? It would help to see what they advised.
> On Friday 19 April 2019 16:15:32 Kenneth Porter wrote:
> On 4/19/2019 5:30 AM, Gary Stainburn
2017 Jul 18
5
under some kind of attack
Hi,
Thanks for the quick follow-ups! Much appreciated. After posting this, I
immediately started working on fail2ban. And between my initial posting
and now, fail2ban already blocked 114 IPs.
I have fail2ban with maxretry=1 and bantime=1800
However, it seems almost all IPs are different, and I don't think I can
keep the above settings permanently.
Robert, your iptables suggestions are _very_ interesting! However, will
they also work on imaps/993, because of the ssl?
Thanks for the quick replies!
MJ
On 07/18/2017 09:52...
2018 May 17
2
Decoding SIP register hack
I need some help understanding SIP dialog. Some actor is trying to
access my server, but I can't figure out what he's trying to do ,or how.
I'm getting a lot of these warnings.
[May 17 10:08:08] WARNING[1532]: chan_sip.c:4068 retrans_pkt:
Retransmission timeout reached on transmission
_zIr9tDtBxeTVTY5F7z8kD7R.. for seqno 101
With SIP DEBUG I tracked the Call-ID to this INVITE :
2019 Apr 29
0
faI2ban detecting and banning but nothing happens
...ts rather than just the ports defined
for the jail (in /etc/fail2ban/jail.conf).? You might also choose to
remove the "-p <protocol>" spec to block all access instead of just TCP
access.
??? [Definition]
??? actionstart = ipset create fail2ban-<name> hash:ip timeout <bantime>
????????????? firewall-cmd --direct --add-rule ipv4 filter <chain> 0 -p
<protocol> -m set --match-set fail2ban-<name> src -j <blocktype>
??? actionstop = firewall-cmd --direct --remove-rule ipv4 filter
<chain> 0 -p <protocol> -m set --match-set fail2ban-...
2017 Jul 18
1
under some kind of attack
...8 Jul 2017, dovecot-request at dovecot.org wrote:
> Thanks for the quick follow-ups! Much appreciated. After posting this, I
> immediately started working on fail2ban. And between my initial posting
> and now, fail2ban already blocked 114 IPs.
>
> I have fail2ban with maxretry=1 and bantime=1800
>
> However, it seems almost all IPs are different, and I don't think I can
> keep the above settings permanently.
Why not? Limited by firewall rules overload? You could probably use
a persistent DB, can't you?
You can also use a third party RBL that specialized in brute f...
2008 Sep 15
2
fail2ban 0.8
Does anyone have the filter strings for Fail2Ban 0.8 to block Dovecot 1.1 login
failures?
Thanks!
Ciao,
luigi
--
/
+--[Luigi Rosa]--
\
If the odds are a million to one against something occurring,
chances are 50-50 it will.
2017 Jul 18
0
under some kind of attack
Am 18.07.2017 um 22:15 schrieb mj:
> Hi,
>
> Thanks for the quick follow-ups! Much appreciated. After posting this, I
> immediately started working on fail2ban. And between my initial posting
> and now, fail2ban already blocked 114 IPs.
>
> I have fail2ban with maxretry=1 and bantime=1800
>
> However, it seems almost all IPs are different, and I don't think I can
> keep the above settings permanently.
>
> Robert, your iptables suggestions are _very_ interesting! However, will
> they also work on imaps/993, because of the ssl?
i guess not, but typical bo...
2009 Mar 14
3
Account lockout option?
I'm currently using postfix and dovecot, with dovecot authentication
(with saslauthd) using mysql for accounts
Is there any option available for me to help inhibit/prevent
brute-force login attempts?
Thx.
Rick
Rick Steeves
http://www.sinister.net
"The journey is the destination"
2017 Jul 25
10
under another kind of attack
Hi folks,
"somehow" similar to the thread "under some kind oof attack" started by "MJ":
I have dovecot shielded by fail2ban which works fine.
But since a few days I see many many IPs per day knocking on
my doors with wron password and/or users. But the rate at which they are knocking
is very very low. So fail2ban will never catch them.
For example one IP:
Jul 25
2017 Mar 02
3
fail2ban Asterisk 13.13.1
...%(banaction)s[name=%(__name__)s-udp, port="%(port)s",
protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
logpath = /var/log/asterisk/messages
maxretry = 3
findtime = 300
bantime = -1
in filter.d
asterisk.conf
failregex = ^%(__prefix_line)s%(log_prefix)s Registration from '[^']*'
failed for '<HOST>(:\d+)?' - (Wrong password|Username/auth name mismatch|No
matching peer found|Not a local domain|Device does not match ACL|Peer is not
supposed...