[SOLVED] fail2ban

Kernels & Hardware, configuring network, installing services

[SOLVED] fail2ban

Postby jalisco » 2019-01-28 13:10

Not specifically a debian question, but I thought I would ask here, in case anyone knows.

I have a email server running, and keep getting this in my mail.log.

Jan 28 14:53:11 mail postfix/smtpd[25880]: connect from unknown[]
Jan 28 14:53:12 mail postfix/smtpd[25880]: lost connection after AUTH from unknown[]
Jan 28 14:53:12 mail postfix/smtpd[25880]: disconnect from unknown[] ehlo=1 auth=0/1 commands=1/2

I have fail2ban installed, but it doesn't seem to be blocking this IP address, after repeated attempts. By repeated, I mean, constant, albeit slowly (maybe half a dozen per every ten minutes--spread across two IP addresses, from Ireland).

Ring a bell for anyone? I will post a solution, if I find one sooner.
Last edited by jalisco on 2019-01-28 18:00, edited 1 time in total.
User avatar
Posts: 94
Joined: 2013-09-01 17:30

Re: fail2ban

Postby GarryRicketson » 2019-01-28 14:17

It has been so long since I last used fail2ban, so I don't remember exactly, but I do remember at first I thought it was not banning repeated attempts, so I looked at the manual;
Code: Select all
man fail2ban

And I found there was a setting option that determines how many attempts before it is banned, the default was much higher then what I wanted, I changed it to ban on the 3rd attempt, and got good results.
I think if you read the manual you will find the information you need, I don't have it handy now, because I am not using Debian or fail2ban, I know I could also search and get it online, but so can you, if you don't have it handy in your system. There also were plenty of details on configuring fail2ban available in the search results, when I had the same problem. I think there also are some threads here on the forum , but do remember clearly I never asked about it myself , here or any where, so maybe there are not any.
==== edited ====
If you showed more specific details on your configuration for fail2ban, some else might be able to see why or where ,and what you need to change.
User avatar
Posts: 5877
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: fail2ban

Postby thinman » 2019-01-28 14:53

It sounds like someone is doing a timed scan to avoid detection. You can change the 'findtime' setting in your fail2ban conf to increase the window of time in which it records attempts. The default is 600 seconds so it won't catch slow scans like that.
Posts: 3
Joined: 2018-11-26 11:18

Re: fail2ban

Postby jalisco » 2019-01-28 15:55

Thanks for the tips and info.

Apparently the man page is:
man fail2ban-client

=) in case anyone is reading this afterwards.

Changed the findtime, increasing it to catch these dripping attacks.Will report back when I have more to report =) thanks again.

The almost immediate result is the banning of one of the offending IPs. I assume the other will also ban within the hour.

Thanks for the tip. Simple way to change the time:

fail2ban-client set <jail name, postfix-auth in my case> findtime 1800

maybe I will make it even higher, but 30 minutes such suffice, maybe I will change it later.

EDIT: Just changed the time to 30 minutes, 3600, and both offending IPs coming out of Ireland, are now in Jail!

Thanks for the help.
User avatar
Posts: 94
Joined: 2013-09-01 17:30

Return to System configuration

Who is online

Users browsing this forum: No registered users and 16 guests