Would you like to tell me how you set your Fail2Ban settings? Mine look like this:
EnglishFai2Ban Settings
This is mine:
Fail2ban parameters
Ban time (s):
3600
Max. ban time (s):
10000
Ban time is incremented with each ban
Max. attempts:
2
Retry window (s) for max. attempts:
600
IPv4 subnet size to apply ban on (8-32):
/
16
IPv6 subnet size to apply ban on (8-128):
/
128
Have something to say?
Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!
my settings are;
Ban time (s): 3600
Max. ban time (s): 10000
Ban time is incremented with each ban: enabled
Max. attempts: 3
Retry window (s) for max. attempts: 120
IPv4 subnet size to apply ban on (8-32): /32
IPv6 subnet size to apply ban on (8-128): /128I also blacklist IP addresses that attempt to enter incorrect passwords at regular intervals.
4 months later
You mentioned “I also blacklist IP addresses that attempt to enter incorrect passwords at regular intervals.”
This is what I was kind of digging for today. I see that my mailcow setup has ZERO banned IP addresses. Yet, looking over the last 1000 log entries in Netfilter for “authentication failed”, I get some numbers like this:
Why aren’t these IP’s banned? Is it because 600 retry window is too large? Are you banning IP addresses manually?
- Edited
I was told here that I don’t need to do this but I add ip’s to the DOCKER-USER iptables list:
-A DOCKER-USER -s 121.202.0.0/16 -j DROP
-A DOCKER-USER -s 121.229.0.0/16 -j DROP
-A DOCKER-USER -s 122.162.0.0/16 -j DROP
-A DOCKER-USER -s 124.93.0.0/16 -j DROP
-A DOCKER-USER -s 125.72.0.0/16 -j DROP
-A DOCKER-USER -s 129.222.0.0/16 -j DROP
-A DOCKER-USER -s 13.91.0.0/16 -j DROP
-A DOCKER-USER -s 130.255.0.0/16 -j DROP
-A DOCKER-USER -s 144.126.0.0/16 -j DROP
-A DOCKER-USER -s 149.5.0.0/16 -j DROP
This is just a small amount of them.
Every 5.0s: iptables -n -v -L DOCKER-USER | grep -v "0... mail: Tue Nov 12 15:04:17 2024
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
2 88 DROP 0 -- * * 178.215.0.0/16 0.0.0.0/0
366 21960 DROP 0 -- * * 80.94.0.0/16 0.0.0.0/0
4 176 DROP 0 -- * * 218.93.0.0/16 0.0.0.0/0
2 88 DROP 0 -- * * 165.154.0.0/16 0.0.0.0/0
1 44 DROP 0 -- * * 185.242.0.0/16 0.0.0.0/0
14 616 DROP 0 -- * * 115.231.0.0/16 0.0.0.0/0
2 120 DROP 0 -- * * 199.45.0.0/16 0.0.0.0/0
5 260 DROP 0 -- * * 212.184.0.0/16 0.0.0.0/0
4 1804 DROP 0 -- * * 194.169.0.0/16 0.0.0.0/0
2 88 DROP 0 -- * * 205.210.0.0/16 0.0.0.0/0
8 480 DROP 0 -- * * 130.255.0.0/16 0.0.0.0/0
1 44 DROP 0 -- * * 198.235.0.0/16 0.0.0.0/0
6 360 DROP 0 -- * * 111.70.0.0/16 0.0.0.0/0
4 288 DROP 0 -- * * 81.94.0.0/16 0.0.0.0/0
148K 39M RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0
- Edited
So… you’re doing it manually. Don’t think I’m going to be doing that. I see that it must be keeping track, but w/o testing against an IP of my own, I probably can’t see for sure. Getting the hang of the logs stuff, and got a couple charts in Grafana now. I’m kinda watching authentication failure counts, as well as when someone has tried to connect at least twice, so that “one more time, young man!” will get them banned. But it seems a LOT of the botnets, whatever, are coming in under the threshold:
The logs are reporting the “1 more attempt” til ban entries… just 2 for all of today. I upped the attempt window, too, to 3600 seconds (1 hour), but still not catching much.
Note: I only started getting better logging here last night when I straightened out the promtail / loki configs.
CaptainPalapa
I never heard of grafana before. I am running on Arch so that is not supported here. And it looks like grafana doesn’t support it either. However there is a grafana package in Arch. I have installed it but it looks like a lot of learning to get something useful out of it.
No one is typing