Fail2ban is a program designed to scan server log files and ban IP numbers suspected of malicious activity.
Questions tagged [fail2ban]
21 questions
5
votes
3 answers
Does blocking an IP with IP Tables protect you from a DOS (not DDOS) attack?
I am fairly new to network security, and I just learned about the Fail2Ban framework you can use for automated exploit detection/prevention. It says that you can protect yourself from DOS attacks by setting up a rule that will automatically block…
Jon Ferguson
- 53
- 4
3
votes
1 answer
How should output of fail2ban postfix-sasl look like
I want to be sure that fail2ban is properly banning failed postfix SASL login attempts.
When I do iptables -L I can see list of banned hosts for SSHD, but I can't figure out a way to see banned hosts for SASL.
postfix SASL is enabled, which I can…
Aleksandar Pavić
- 272
- 2
- 11
2
votes
2 answers
Using fail2ban for detecting suspicious activity whitin a webserver
I know that fail2ban is mostly used for blocking IPs trying to brute force an SSH endpoint and other stuff like that.
However, I am wondering if you could also use fail2ban to detect (not necessarily prevent) suspicious activity within a…
cis
- 255
- 2
- 7
2
votes
1 answer
Blocking slowloris using fail2ban, what are the correct parameters?
I have a fail2ban rule for Apache2 logs that which looks like this:
[Definition]
failregex = ^[^ ]+ .* \[\] "[^\"]*" 408 \d+
This will detect the 408 errors which happen when a TCP connection times out.
The following is the Jail definition…
Alexis Wilke
- 862
- 5
- 19
2
votes
1 answer
Blocking brute forcer with multiple IPs in range
A few weeks ago, I allowed my Linux Server to be connected from the internet for development purposes. My networking knowledge is quite basic. Following some guidelines on securing Linux servers, I have installed Fail2Ban and I also disabled root…
user118989
1
vote
3 answers
Mailcleaner - Fail2ban - mc-exim-filter configuration
I'm using Fail2ban on a Mailcleaner server which works pretty good, but I want to update it to ban hosts who want to spoof our addresses. I'm using the "original" mc-exim-filter, but I don't really understand how regular expressions work.
Here is an…
Krisztian
- 13
- 2
1
vote
1 answer
Bots are using my own static IP to brute force DNS/Email server
My email server has been under constant brute force attack for a while now, without success.
Recently, however, these bots or automated scripts have found a way to "use my own static IP" in an attempt to break into the email server.
I am running…
Glen
- 11
- 1
1
vote
1 answer
Do I need fail2ban if I have a strong password?
Is there any advantage to me installing fail2ban on my VPS web server? As far as I understood, fail2ban's only purpose is to stop bruteforce and dictionary attacks by preventing consecutive password logins from the same IP addresses.
If I have a 12…
Alex
- 67
- 3
1
vote
1 answer
Access from external network safely to raspberry
I am implementing a home alarm system with raspberry and I need to access it from the external network. The initial idea was to use cascade VPN and ssh (in my university to connect to the cluster I had to first connect to the University network and…
dang92
- 11
- 1
1
vote
1 answer
Block hex encoded requests using fail2ban
I have new web server running nginx. The default server is receiving 10K+ requests every day from Russian bots. They are clearly probing for something, but it's hard to say what since the requests are partially hex encoded. I have tried decoding…
mattf10
- 11
- 1
1
vote
2 answers
Is something like fail2ban necessary for a rate-limited key-only (no password) ssh login?
As far as I understand, bruteforcing ssh is only attempted for passwords, not keys (barring edge cases where presumably the NSA wants to break in).
So if a server has disabled (in addition to root login) password authentication on its ssh, is it…
dakini
- 413
- 1
- 3
- 13
1
vote
0 answers
UFW behind modem does not block remote IP
I have a small linux server with fail2ban and UFW installed and configured behind internet gateway modem which ssh port is forwarded to server.
The attackers are discovering by fail2ban and added to iptables and information mail is sent to me, but…
Sencer H.
- 111
- 4
1
vote
1 answer
Does CSF-LFD include a Fail2Ban analogue or should include Fail2Ban at all?
I am not of the field of IS and After reading this CSF-LFD installation document, I've installed CSF-LFD via:
cd /usr/src
sudo rm -fv csf.tgz
sudo wget https://download.configserver.com/csf.tgz
sudo tar -xzf csf.tgz
cd csf
sudo sh install.sh
sudo…
user123574
1
vote
1 answer
Is it a security risk, lack of knowledge for reactive action, when abuse mail is rejected?
When inspecting the DNS configuration for example with dnsinspect.com, the following shows up sometimes (note I used example.com):
Accepts Abuse Address
WARNING: Found mail servers which are not accepting emails to abuse@example.com address:…
Bob Ortiz
- 6,234
- 8
- 43
- 90
0
votes
1 answer
Block many wrong requests via PHP
I have an API that requires a security token to run.
Is it possible to use Fail2Ban or ModEvasive to block access from IPs that often try to access the API with an incorrect token?
I use PHP to receive these requests, is it possible with it to…
Tom
- 163
- 4