Questions tagged [fail2ban]

Fail2ban is a program designed to scan server log files and ban IP numbers suspected of malicious activity.

21 questions
5
votes
3 answers

Does blocking an IP with IP Tables protect you from a DOS (not DDOS) attack?

I am fairly new to network security, and I just learned about the Fail2Ban framework you can use for automated exploit detection/prevention. It says that you can protect yourself from DOS attacks by setting up a rule that will automatically block…
3
votes
1 answer

How should output of fail2ban postfix-sasl look like

I want to be sure that fail2ban is properly banning failed postfix SASL login attempts. When I do iptables -L I can see list of banned hosts for SSHD, but I can't figure out a way to see banned hosts for SASL. postfix SASL is enabled, which I can…
2
votes
2 answers

Using fail2ban for detecting suspicious activity whitin a webserver

I know that fail2ban is mostly used for blocking IPs trying to brute force an SSH endpoint and other stuff like that. However, I am wondering if you could also use fail2ban to detect (not necessarily prevent) suspicious activity within a…
cis
  • 255
  • 2
  • 7
2
votes
1 answer

Blocking slowloris using fail2ban, what are the correct parameters?

I have a fail2ban rule for Apache2 logs that which looks like this: [Definition] failregex = ^[^ ]+ .* \[\] "[^\"]*" 408 \d+ This will detect the 408 errors which happen when a TCP connection times out. The following is the Jail definition…
Alexis Wilke
  • 862
  • 5
  • 19
2
votes
1 answer

Blocking brute forcer with multiple IPs in range

A few weeks ago, I allowed my Linux Server to be connected from the internet for development purposes. My networking knowledge is quite basic. Following some guidelines on securing Linux servers, I have installed Fail2Ban and I also disabled root…
user118989
1
vote
3 answers

Mailcleaner - Fail2ban - mc-exim-filter configuration

I'm using Fail2ban on a Mailcleaner server which works pretty good, but I want to update it to ban hosts who want to spoof our addresses. I'm using the "original" mc-exim-filter, but I don't really understand how regular expressions work. Here is an…
Krisztian
  • 13
  • 2
1
vote
1 answer

Bots are using my own static IP to brute force DNS/Email server

My email server has been under constant brute force attack for a while now, without success. Recently, however, these bots or automated scripts have found a way to "use my own static IP" in an attempt to break into the email server. I am running…
Glen
  • 11
  • 1
1
vote
1 answer

Do I need fail2ban if I have a strong password?

Is there any advantage to me installing fail2ban on my VPS web server? As far as I understood, fail2ban's only purpose is to stop bruteforce and dictionary attacks by preventing consecutive password logins from the same IP addresses. If I have a 12…
Alex
  • 67
  • 3
1
vote
1 answer

Access from external network safely to raspberry

I am implementing a home alarm system with raspberry and I need to access it from the external network. The initial idea was to use cascade VPN and ssh (in my university to connect to the cluster I had to first connect to the University network and…
dang92
  • 11
  • 1
1
vote
1 answer

Block hex encoded requests using fail2ban

I have new web server running nginx. The default server is receiving 10K+ requests every day from Russian bots. They are clearly probing for something, but it's hard to say what since the requests are partially hex encoded. I have tried decoding…
mattf10
  • 11
  • 1
1
vote
2 answers

Is something like fail2ban necessary for a rate-limited key-only (no password) ssh login?

As far as I understand, bruteforcing ssh is only attempted for passwords, not keys (barring edge cases where presumably the NSA wants to break in). So if a server has disabled (in addition to root login) password authentication on its ssh, is it…
dakini
  • 413
  • 1
  • 3
  • 13
1
vote
0 answers

UFW behind modem does not block remote IP

I have a small linux server with fail2ban and UFW installed and configured behind internet gateway modem which ssh port is forwarded to server. The attackers are discovering by fail2ban and added to iptables and information mail is sent to me, but…
Sencer H.
  • 111
  • 4
1
vote
1 answer

Does CSF-LFD include a Fail2Ban analogue or should include Fail2Ban at all?

I am not of the field of IS and After reading this CSF-LFD installation document, I've installed CSF-LFD via: cd /usr/src sudo rm -fv csf.tgz sudo wget https://download.configserver.com/csf.tgz sudo tar -xzf csf.tgz cd csf sudo sh install.sh sudo…
user123574
1
vote
1 answer

Is it a security risk, lack of knowledge for reactive action, when abuse mail is rejected?

When inspecting the DNS configuration for example with dnsinspect.com, the following shows up sometimes (note I used example.com): Accepts Abuse Address WARNING: Found mail servers which are not accepting emails to abuse@example.com address:…
Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90
0
votes
1 answer

Block many wrong requests via PHP

I have an API that requires a security token to run. Is it possible to use Fail2Ban or ModEvasive to block access from IPs that often try to access the API with an incorrect token? I use PHP to receive these requests, is it possible with it to…
Tom
  • 163
  • 4
1
2