Agreed, I also found that someone was hitting my VNC server then not typing a password, this of course creates a established connection to the originating IP until VNC's login time out expires. The way my Iptables rules were structured at the time a packet would from that IP would be allowed because there was an established connection even though there is no login in. Then before the time out expired they would start hitting the SSH server and Iptables would not interfere with the SSH connection. Since I discovered this "normal behavior" I have rearranged my rules so the first thing a packet is checked against is the black list that I maintain, the all packets are checked against the fail2ban rules, then I do normal packet checking after that. This is a crafty way to get around some of the rules I had in place! My point is just because it is normal behavior does not mean its good behavior. On Wed, 2015-09-30 at 12:42 +0100, Nick Howitt wrote:
> I think it can be pretty bad behaviour if you get too many attempts too > quickly. I've seen over 1000 in 24h from a single IP. I generally see > nothing but every now and then someone has a go and it is a bit > irritating. > > I also had one IP doing about 6 attempts an hour for days until I > spotted it and blocked it. I was blocking 10 occurrences in an hour but > dropped it to 5 an hour to combat the IP. > > On 2015-09-30 12:08, Darac Marjal wrote: > > On Tue, Sep 29, 2015 at 02:30:47PM -0700, Gao wrote: > >> Hello, all > >> > >> I have the postfix-sasl jail enabled and it works well against attack, > >> such as > >> "Failed login". > >> > >> I just notified that my email server's maillog flood with this: > >> ... > >> Sep 29 14:19:21 szeta postfix/smtpd[19940]: connect from > >> ns3366447.ip-37-187-77.eu[37.187.77.147] > >> Sep 29 14:19:22 szeta postfix/smtpd[19940]: lost connection after AUTH > >> from > >> ns3366447.ip-37-187-77.eu[37.187.77.147] > >> Sep 29 14:19:22 szeta postfix/smtpd[19940]: disconnect from > >> ns3366447.ip-37-187-77.eu[37.187.77.147] > > > > "Lost connection after AUTH" means that postfix sent "AUTH" to the > > client, and the client disconnected. In other words, the client > > probably > > attempted some action which you've configured that only authorized > > users > > can perform (usually, this is something like sending mail to a > > different > > serveer (relaying)). Postfix said "authorize yourself in order to > > perform this action", and the client just dropped the connection > > (rather > > than cleanly quitting and waiting for postfix to close the conecction). > > > > In other words, no authorization was attempted. > > > > I suspect that fail2ban doesn't block this normally because it's not > > really bad behaviour. It's akin to someone connecting to your SSH port > > and disconnecting upon finding that it's asking for a password :) > > > >> ... > >> > >> And the fail2ban does nothing about this! No new entry about this in > >> fail2ban.log. The attack is still going and I am going to manual kill > >> it in > >> iptables. > >> > >> What should I do about this in fail2ban? Please help. > >> > >> Thanks. > >> > >> Gao > >> > > > >> ------------------------------------------------------------------------------ > > > >> _______________________________________________ > >> Fail2ban-users mailing list > >> [email protected] > >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > > > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > > Fail2ban-users mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > ------------------------------------------------------------------------------ > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
