Hi everyone,
I'm running the latest fail2ban with the latest patches on freebsd 10.1.
I'm being ddos attacked all the time. I run bsd-ipfw as my action with default
config.
I can see my fail2ban seems to find lots of this - 2015-03-20 10:43:34,099
fail2ban.filter [44050]: INFO [sendmail] Found 114.46.144.49
But when I look at my ipfw sometimes there is no entry -
# ipfw table 1 list | grep 114.46.144.49
#
I also see this in debug -
2015-03-20 10:43:34,099 fail2ban.failmanager [44050]: DEBUG Total # of
detected failures: 302. Current failures from 38 IPs (IP:count):
192.174.85.40:1, 59.97.25.226:1, 209.85.220.67:1, 209.126.115.38:1,
115.248.68.249:1, 104.218.55.241:1, 88.208.238.136:1, 103.225.128.105:1,
114.46.144.49:1, 213.239.106.32:1, 95.37.246.152:1, 122.175.146.39:1,
81.92.124.145:1, 134.255.160.225:1, 85.107.62.119:1, 183.80.147.115:1,
177.185.40.10:1, 78.40.144.141:1, 89.136.60.195:1, 119.93.55.89:1,
88.208.237.106:1, 5.105.149.98:1, 189.114.255.64:1, 42.112.114.8:1,
103.14.211.1:1, 103.14.211.5:1, 109.120.182.212:1, 116.98.137.66:1,
113.163.0.161:1, 2.229.23.146:1, 103.14.211.28:1, 186.145.121.70:1,
82.144.197.77:1, 108.59.1.228:1, 23.238.53.136:1, 78.189.237.129:1,
72.55.179.186:1, 85.26.161.182:1
I query this also and get nothing in my ipfw table -
# ipfw table 1 list | grep 104.218.55.241
#
I sometime get this when fail2ban is too busy, so I ran newsyslog to trim my
/var/log/maillog file and restart fail2ban but I get the same results.
I've tried changing all sorts of config, or using the ipfw action instead and
modifying that slightly to use a table, but I'm not having much fun with this
now, so I wanted to see how others are getting on with freebsd 10.1?
I tightened sendmail as much as I can but I am getting around 20 connections
per minute all from different hosts. This ddos has been happening for a couple
of days now and I just wanted to know if I am doing something wrong?
cat jail.local | grep -v "#"
[INCLUDES]
before = paths-freebsd.conf
[DEFAULT]
ignoreip = 127.0.0.1/8
ignorecommand =
bantime = 604800
findtime = 6000
maxretry = 2
backend = auto
usedns = warn
logencoding = auto
enabled = false
filter = %(__name__)s
destemail = [email protected]
sender = root@localhost
mta = sendmail
protocol = tcp
chain = INPUT
port = 0:65535
banaction = bsd-ipfw
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s",
port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s",
port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s",
protocol="%(protocol)s", chain="%(chain)s"]
action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s",
port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s",
logpath=%(logpath)s, chain="%(chain)s"]
action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s",
port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
xarf-login-attack[service=%(__name__)s, sender="%(sender)s",
logpath=%(logpath)s, port="%(port)s"]
action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s,
apikey="%(blocklist_de_apikey)s"]
action_badips = badips.py[category="%(name)s", banaction="%(banaction)s"]
action = %(action_)s
[sendmail]
enabled = true
logpath = /var/log/maillog
[sendmail-reject]
enabled = true
logpath = /var/log/maillog
cat filter.d/sendmail.conf | grep -v "#"
[INCLUDES]
before = common.conf
[Definition]
_daemon = (?:(sm-(mta|acceptingconnections)|sendmail))
failregex = \[<HOST>\], reject.*\.\.\. Relaying denied
\[<HOST>\] \(may be forged\), reject.* Domain of sender
\[<HOST>\], reject\=451 4.1.8 Domain of sender address
IP name lookup failed \[<HOST>\]
\[<HOST>\]\, discard
\[<HOST>\] \(may be forged\), discard
send this email <HOST> is blacklisted
(User unknown)\n* \[<HOST>\]
badlogin: .* \[<HOST>\] plaintext .* SASL
Infected message.* came from <HOST>
\[<HOST>\] \(may be forged\)\, reject\=452 4.3.2 Connection rate
limit exceeded.
\[<HOST>\], reject.* Rejected
\[<HOST>\], reject.* Relaying temporarily denied
\[<HOST>\]\,\ reject\=452 4.3.2 Connection rate limit exceeded.
\[<HOST>\]\, discard
\[<HOST>\] \(may be forged\), discard
\[<HOST>\], reject.* Rejected
\[<HOST>\]\: possible SMTP attack\:
from\=\<fax\@.*relay\=.*\[<HOST>\]
from\=\<.*MyFax.com.*\[<HOST>\]
Rejected\, look at http.*ip\=<HOST>
SPF fail\: <HOST>
ignoreregex =
[Init]
maxlines = 10
cat action.d/bsd-ipfw.conf | grep -v "#"
[Definition]
actionstart = ipfw show | fgrep -q 'table(<table>)' || ( ipfw show | awk 'BEGIN
{ b = 1 } { if ($1 <= b) { b = $1 + 1 } else { e = b } } END { if (e) exit e
<br> else exit b }'; num=$?; ipfw -q add $num <blocktype> <block> from
table\(<table>\) to me <port>; echo $num > "<startstatefile>" )
actionstop = ipfw table 1 flush
actioncheck =
actionban = ipfw table <table> add <ip>
actionunban = ipfw table 1 delete <ip>
[Init]
table = 1
port = smtp
startstatefile = /var/run/fail2ban/ipfw-started-table_<table>
block = ip
blocktype = unreach port
Thanks,
Rich
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
