New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Here's the cron script if anyone's interested.
Create a VPS that you use as VPN, on the main VPS/Dedicated only allow logins using the IP of the secondary VPS.
fail2ban is pretty overrated imo. There is no way to permaban an ip, I always spend about an hour setting it up and configuring it for every new server - it doesn't matter what operating system it is either - there is always some tweaking to get it working right.
Recidive won't block forever - wtf?
I'd probably bet 20% of the people that have it configured did it wrong and it's actually doing nothing.
I ran BFD for around 5 years and there were thousands of entries in my deny file - no idea if this is a bad idea but the log files were way quieter than with fail2ban
I actually generate a blacklist file and iterate it in a script and add it to iptables. But yeah it's getting messy there
It seems to me that this is not a case where generalizations are useful. I use fail2ban and no root login. The latter takes care of 99.99 percent it seems like since they all try to guess the root password which would be useless for login. I tend to use 12 digit passwords and I set fail2ban to 10 days mostly. How long would it take somebody using this so-called "slow" method? They would have 2 guesses per 10 days to figure out a user name, then when they got that they'd have another 2 guesses per 10 days to get a 12 digit password. If they got that far, they'd then have 2 guesses per 10 days to guess the root password. You do the math*.
That said, I'm under no illusion that there isn't some other way in which I have yet to learn about. On my personal mail relay I've set fail2ban to allow 2 tries as well, and of course the same 10 day ban. In that case they would only have to guess the user names, which would not actually be that easy since there are very few of them.
*Yes I'm aware that an attacker will keep changing IP, but it seems in practice that they have limited amounts of those, and 2 tries is still not enough under those circumstances, since they seem to have their own delay as well.
Consider these dovecot auth logs entries (which are real except for the 'domain.com'):
Do they represent 4 random hackers, or are they conceivably part of a coordinated effort?
Hey you guys, who have the honey pot to take a look what they'r going to do after login?
I am very curious. XD
Alright Sir, we will help you with your math. Is over 9000 according to my 500IQ.
Well this has worked out nicely I think.
Changes:
Blocking:
Affect on my users:
Collateral damage:
Feedback appreciated!
But why can't it be forever? I don't get it...
IP addresses come and go... it doesn't let that many queries through.
Sounds great, how are you blocking /24s that aren't in US or Canada? I like this strategy, just don't get how you can do it automagically and on the fly...
The problem with fail2ban and similar common security tools is often not the tool (which is reasonably well developed, and does what it says) but the user. A large percentage of users install these tools in a belief that doing so makes them secure (as if 100% secure is possible), it doesn't.
Whats worse is this can lead to issues later on (something we see reasonably often) when incorrect IPs get banned (made even better by some users who don't even know they installed fail2ban/csf etc). A common cause of this is CSF more so than fail2ban due to bans enacted on udp ports or on unallocated ports (aka port scan protection) both of which are vulnerable to bans on spoofed addresses (targetting infrastructure, large clients or even other players on games that disclose player ips).
If you close all your ports (-j DROP), and only connect to SSH using Port Knocking, nobody will scan your box anymore, because all ports will timeout.
The only port that needs to be open is 80, and you have Cloudflare for that.
I created an ipset called 'whitelist' and then downloaded & imported CIDR-format files from ipdeny.com
The loadwhite.sh script:
The you can test an IP against the whitelist.
A couple of suggestions on this ipset approach: rather than adding each ip with a loop (which is painfully painful for big sets, even more for sets meant to be updated on a daily or weekly basis) you may want to create an ipset restore list to import, and before that you may want to optimize its performance; both goals may be accomplished with iprange's print-prefix, ipset-reduce and ipset-reduce-entries switches.
Fun stats! Failed authentications for smtp/imap/pop are now down to barely a handful per day.
Here's the number of unique /24's blocked during the past week.
It's almost useless now a days imo. Only gets very low hanging fruit. Most bots spread scans out over hundreds/thousands of IP's with a large amount of time between hits on the same IP. So then you gotta increase your scan time which increases the likelyhood of false positives and banning legitimate stuff.
It's almost not worth it for the amount of administrative overhead it adds fiddling around with it. I just use the SSH filters. Binary installs are usually configured to do that by default so no real setup required.
I suppose it's useful to reduce noise/logging activity but not much else.
You haven't read the thread?
The script kiddies are about 10 steps ahead of you. They know all about fail2ban and exactly how to get around it. So you are just stopping the lowest hanging fruit by fiddling with scan/ban times etc and trying to optimize filters etc. It's a never ending thing once you start doing that.
If you don't want opinions why are you starting threads?
That's not what I'm doing. But I accept your input, thanks
What are you doing?
That's where reading the thread comes in
sounds great!
would you care to share the complete set of scripts you use to accomplish this?
TIA,
Ewald...
It's all in the thread except ... I don't think he left anything out.
-- download the whitelists, add to ipset with the loadwhite script
-- run the other script he posted via cron job to block forever.
Then, take both the blue and red pills, and join the rave.
You're right, most of it is there. just need to set-up the blacklist as well
and would need to change this part
a little if i wanted to block on /24 subnets as @sleddog mentioned
(and change the ipset ipBlack to hash:net)
There are a couple of ip's where maxminds geolocation seems to differ from the
ip-deny zone's, but that is to be expected i guess.
Why not use ssh keys and clear the logs periodically? Or change the ssh port/disable root login. I found that these script kiddies tend to try to login to root or names like admin.
Sure, and the best option is to combine security features. In my case i also run an IMAPS server, authenticated SMTP and webserver logins. So there is more to protect than ssh.
Some of the attacks on the IMAPS server are very stealthy, less than one try per hour, so that's where a tool like this would come in handy.