Would you like to tell me how you set your Fail2Ban settings? Mine look like this: [upl-image-preview url=https://community.mailcow.email/assets/files/2024-07-17/1721196978-428261-image.png]

Fai2Ban Settings

Ganzjahresgriller

Would you like to tell me how you set your Fail2Ban settings? Mine look like this:

maybl8

This is mine:

Fail2ban parameters
Ban time (s):
3600
Max. ban time (s):
10000
 Ban time is incremented with each ban
Max. attempts:
2
Retry window (s) for max. attempts:
600
IPv4 subnet size to apply ban on (8-32):
/
16
IPv6 subnet size to apply ban on (8-128):
/
128

ikrsdo

my settings are;

Ban time (s): 3600
Max. ban time (s): 10000
Ban time is incremented with each ban: enabled
Max. attempts: 3
Retry window (s) for max. attempts: 120
IPv4 subnet size to apply ban on (8-32): /32
IPv6 subnet size to apply ban on (8-128): /128

I also blacklist IP addresses that attempt to enter incorrect passwords at regular intervals.

CaptainPalapa

You mentioned “I also blacklist IP addresses that attempt to enter incorrect passwords at regular intervals.”

This is what I was kind of digging for today. I see that my mailcow setup has ZERO banned IP addresses. Yet, looking over the last 1000 log entries in Netfilter for “authentication failed”, I get some numbers like this:

Why aren’t these IP’s banned? Is it because 600 retry window is too large? Are you banning IP addresses manually?

maybl8

I was told here that I don’t need to do this but I add ip’s to the DOCKER-USER iptables list:

-A DOCKER-USER -s 121.202.0.0/16 -j DROP
-A DOCKER-USER -s 121.229.0.0/16 -j DROP
-A DOCKER-USER -s 122.162.0.0/16 -j DROP
-A DOCKER-USER -s 124.93.0.0/16 -j DROP
-A DOCKER-USER -s 125.72.0.0/16 -j DROP
-A DOCKER-USER -s 129.222.0.0/16 -j DROP
-A DOCKER-USER -s 13.91.0.0/16 -j DROP
-A DOCKER-USER -s 130.255.0.0/16 -j DROP
-A DOCKER-USER -s 144.126.0.0/16 -j DROP
-A DOCKER-USER -s 149.5.0.0/16 -j DROP

This is just a small amount of them.

Every 5.0s: iptables -n -v -L DOCKER-USER | grep -v "0...  mail: Tue Nov 12 15:04:17 2024

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
    2    88 DROP       0    --  *      *       178.215.0.0/16       0.0.0.0/0
  366 21960 DROP       0    --  *      *       80.94.0.0/16         0.0.0.0/0
    4   176 DROP       0    --  *      *       218.93.0.0/16        0.0.0.0/0
    2    88 DROP       0    --  *      *       165.154.0.0/16       0.0.0.0/0
    1    44 DROP       0    --  *      *       185.242.0.0/16       0.0.0.0/0
   14   616 DROP       0    --  *      *       115.231.0.0/16       0.0.0.0/0
    2   120 DROP       0    --  *      *       199.45.0.0/16        0.0.0.0/0
    5   260 DROP       0    --  *      *       212.184.0.0/16       0.0.0.0/0
    4  1804 DROP       0    --  *      *       194.169.0.0/16       0.0.0.0/0
    2    88 DROP       0    --  *      *       205.210.0.0/16       0.0.0.0/0
    8   480 DROP       0    --  *      *       130.255.0.0/16       0.0.0.0/0
    1    44 DROP       0    --  *      *       198.235.0.0/16       0.0.0.0/0
    6   360 DROP       0    --  *      *       111.70.0.0/16        0.0.0.0/0
    4   288 DROP       0    --  *      *       81.94.0.0/16         0.0.0.0/0
 148K   39M RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0

CaptainPalapa

So… you’re doing it manually. Don’t think I’m going to be doing that. I see that it must be keeping track, but w/o testing against an IP of my own, I probably can’t see for sure. Getting the hang of the logs stuff, and got a couple charts in Grafana now. I’m kinda watching authentication failure counts, as well as when someone has tried to connect at least twice, so that “one more time, young man!” will get them banned. But it seems a LOT of the botnets, whatever, are coming in under the threshold:

The logs are reporting the “1 more attempt” til ban entries… just 2 for all of today. I upped the attempt window, too, to 3600 seconds (1 hour), but still not catching much.

Note: I only started getting better logging here last night when I straightened out the promtail / loki configs.

maybl8

CaptainPalapa
I never heard of grafana before. I am running on Arch so that is not supported here. And it looks like grafana doesn’t support it either. However there is a grafana package in Arch. I have installed it but it looks like a lot of learning to get something useful out of it.