Re: [qmailtoaster] lots of failed imap attempts -> fail2ban setup

Thu, 22 Aug 2013 09:07:36 -0700 

Peter:
I personally use fail2ban in the default way and _*purposefully *_reset the bans /*weekly */(and sometimes, manually more often than that). The issue is that sometimes (albeit rarely) the person failing the login is a legitimate user. Also, you may be being attacked by some guy at the corner Starbucks -- and the next person to use that address might be a legit customer/user of yours. 


To my mind, the idea is to block the "attacker" and have them "move 
on"... if they can attempt 20 logins a minute indefinitely, they'll 
attack until they succeed. However, if they can attempt 20 logins a DAY, 
they'll move on -- because the time to reach success becomes CENTURIES 
instead of DAYS or WEEKS.


Just my 2-cents worth...

Dan McAllister
IT4SOHO
QMT DNS/Mirror Admin

On 8/22/2013 7:58 AM, Peter Peltonen wrote:


Hi,


I've started to notice lots of failed imap attemps for nonexisting 
accounts, so I guess it would be a good idea to setup fail2ban.



There is a nice guide available in the wiki (thanks!) : 
http://wiki.qmailtoaster.com/index.php/Fail2Ban


A few questions before I try to put this in production:

In general, these instructions are still valid for the toaster, yes?


There is a note in the Wiki saying "when fail2ban reload and/or 
iptables restart and/or rebooting and/or the weekly logrotate, those 
rules are gone". To prevent this two advices are given:


"

  * Before changes, write existing iptables rules to file

      # service iptables save

  * And after any change load the saved set of rules

      # service iptables restart

  * Tune fail2ban to write IPs to /etc/fail2ban/ip.deny

"

My question regarding this are:

1) How is fail2ban configured to write IPs to /etc/fail2ban/ip.deny ?


2) And would a valid approach to be to configure fail2ban init script 
and logrotate  to read the banned IPs from that ip.deny and then feed 
it to iptables?


Or how are people using fail2ban handling this situation?

Best regards,
Peter



--

PLEASE TAKE NOTE OF OUR NEW ADDRESS
===================================
IT4SOHO, LLC
33 - 4th Street N, Suite 211
St. Petersburg, FL 33701-3806

CALL TOLL FREE:
  877-IT4SOHO

877-484-7646 Phone
727-647-7646 Local
727-490-4394 Fax

We have support plans for QMail!























					Reply via email to