On 01/06/2024 00:59, Alex wrote:
Hi,
> Ideally, I'd like to not have to modify that regexp and be able to
> add my own, much like what appears to be happening with mdre-errors.
You don't have to. Append your own rules in a new line and test your
changed rule file with
not yet understood which editor i can use for sim, or
is fail2ban a separate unic regex Interpreter?
Thanks for update
*Von:*Nick Howitt via Fail2ban-users
*Gesendet:* Montag, 20. Mai 2024 13:53
*An:* fail2ban-users@lists.sourceforge.net
*Betreff:* Re: [Fail2ban-users
Surely you need a variable in that for f2b to work. Something like:
NON-SMTP COMMAND from.\[\]:\d+ after CONNECT:.GET./.HTTP/1.1
Normally you'd also expect some sort of timestamp in the logs.
On 20/05/2024 12:37, Maurizio Caloro via Fail2ban-users wrote:
Thanks for your answer
Please,
Why not just enable the nginx-http-auth config in jail.conf (using a
jail.local, preferably)?
On 05/03/2024 09:57, Jason Long via Fail2ban-users wrote:
Hello,
GitLab uses Nginx and PostgreSQL internally. I want to protect Nginx with
Fail2Ban. The GitLab log directory contains the following
On 25/06/2023 20:35, Tim Boneko via Fail2ban-users wrote:
Am Donnerstag, dem 22.06.2023 um 16:27 +0100 schrieb Nick Howitt via
Fail2ban-users:
Don't allow authentication on 25!
I second that. Port 25 is without encryption, so i don't offer auth
there - only on 587.
Apart from that, stolen
If you have a large amount of blocks, and this sounds like it, use
ipset-based jails as they are way more efficient. If you want to ban
subnets each time you get a block it is possible to create an action to
ban a /24 subnet each time with a very slight modification to the
default action
On 2023-06-22 12:58, André Rodier via Fail2ban-users wrote:
Hello, all.
I just set-up a new server, running postfix, with submission(s)
activated on standard ports (587, 465)
Shortly after it has been setup, I see brute force attacks (not
surprising) from a whole /24 network (more
On 2023-05-03 10:02, Ben Coleman wrote:
I just ran into a situation where I found my incoming groups.io emails
getting blocked - the server would refuse connections from the
groups.io email server. It turned out to be a combination of
different blocking mechanisms, the Postfix RBL blocker,
Use an "ignoreregex = 127\.0\.0\.1" line. Or just set an ignoreip of
127.0.0.1.
On 22/03/2023 19:22, James Moe via Fail2ban-users wrote:
We scan our mail logs for the use of "auth LOGIN". No legit user uses LOGIN; it
is always a dictionary attack.
We also have a SPAM proxy (ASSP) that
file or a
jail.d/customisation.local.
# For example to change the default bantime for all jails and to
enable the
# ssh-iptables jail the following (uncommented) would appear in the
.local file.
# See man 5 jail.conf for details.
/Finn
Den 09-02-2023 kl. 19:59 skrev Nick Howitt via Fail2ban
his right?
Em qui., 9 de fev. de 2023 às 15:59, Nick Howitt via Fail2ban-users
escreveu:
There is some misinformation here. Jails can be enabled via
configlets in jail.d/ as well as overrides in jail.local.
Anyway, what is your full jail config in jail.local? All you need is:
t;
> I only got this working by setting jails as enabled in the
jail.local
> file. The individual files in jail.d directory don't work.
>
> Em qui., 9 de fev. de 2023 às 14:44, Nick Howitt via Fail2ban-users
> <mailto:fail2ban-users@lists.sourceforge.n
Surely jail.conf should be left in place as it it supplies some
defaults, especially if you are using a distro packaged version? I don't
think any jails are enabled by default but it may depend on the distro.
Then use jail.local or files in jail.d/ to enable particular filters.
Nick
On
Nick
On 26/01/2023 07:52, Robby Pedrica wrote:
Yip that's gone and done it! Thank you Nick.
The question is why? All the other regex's should be good too ...
Anyway, no looking gift horses in the mouth. Who are we to question? : )
Thanks once again,
Regards, Robby
On Wed, 25 Ja
On 25/01/2023 11:05, Robby Pedrica wrote:
Hi all,
I'd appreciate some help with a regex on dovecot that I can't seem to
get right. Config is ...
patform: slackware 15 64bit
fail2ban: v0.9.4
dovecot.conf:
[INCLUDES]
before = common.conf
[Definition]
_daemon =
Top posting as the thread is a mess.
Is this really correct? You can telnet into lots of open ports e.g 80
and 25. Even SSL ports like 443 and 587, not that you can do much once
you're in.
On 05/12/2022 18:32, solarflow99 wrote:
thats right, who needs that anyway. I'm so glad to get your
On 04/11/2022 12:40, Richard Shaw wrote:
In the Fedora package everything in /etc is marked %config(noreplace),
meaning it's marked as a configuration file and should not be replaced
on upgrade in order to preserve changes made by end users.
I know best practice is to use .local files to
On 14/03/2022 07:36, Shamim Shahriar wrote:
Hello
I am using fail2ban on production servers running Alma Linux 8. Our
network security scanner is constantly flagging that system complaining
about outdated/vulnerable python on them. However, if I try to remove
that python (with a view to
On 10/12/2021 16:18, Patrick Shanahan wrote:
* fail2ban [12-10-21 03:56]:
On 10/12/2021 03:23, Patrick Shanahan wrote:
* Mike [12-09-21 19:56]:
Thank you, I updated to 0.11.2-3 and will see if subnet bans stick.
That may be a function of the type of IPSET list created. I know
On 10/12/2021 03:23, Patrick Shanahan wrote:
* Mike [12-09-21 19:56]:
Thank you, I updated to 0.11.2-3 and will see if subnet bans stick.
That may be a function of the type of IPSET list created. I know that with
ipset you can blacklist subnets but if it isn't a certain list:hash
On 08/12/2021 23:58, H wrote:
On December 8, 2021 4:53:02 PM EST, Richard Shaw wrote:
On Wed, Dec 8, 2021 at 3:42 PM H wrote:
I am running CentOS 7 and the version of fail2ban available is
0.11.1, not
sure what the latest version is. It seems that this version does not
understand
On 03/12/2021 15:43, Steve Charmer wrote:
oh, ok, I think I understand a little more now.
I was using f2b-regex cmd in console to test it,
but without the host_info alias (as provided by the "before INCLUDE"),
it won't return any matches?
Is it because f2b-regex needs to return a host
On 02/12/2021 22:25, Steve Charmer wrote:
Thanks for your reply Nick.
However, I thought the host_info was a shortcut created by F2B,
in the file
/etc/fail2ban/filter.d/exim-common.conf
so my understanding was that F2B would already get the host info using
the regex in that file
and same
You need to specify somewhere in your regex, but make sure it
does not pick up your internal IP. Perhaps something like:
.*\[\]:\d+ \[.*EXIMSPAMASSASSINEXCESSIVEFAIL2BAN
On 02/12/2021 13:56, Steve Charmer wrote:
Hello,
I am running Fail2Ban Version 0.9.3 on Ubuntu 16.04.5 LTS (LOL)
In EXIM,
As I exclusively use ipset bans, until recently I've been able to get a
list of all bans for all jails by using an ipset command, 'ipset list -o
save | grep "add f2b"'. My report is now broken in 0.11.2 as all
timeouts get loaded as 0 (perma-bans but they do get unbanned by an
action-unban).
On 21/10/2021 21:53, Krzysztof Adamski wrote:
On Thu, 2021-10-21 at 11:38 -0400, Krzysztof Adamski wrote:
On Mon, 2021-10-18 at 10:20 -0700, James Moe via Fail2ban-users
wrote:
On 2021-10-18 07:39, Krzysztof Adamski wrote:
Oct 17 16:33:34 mailserver dovecot: auth-worker(41189): conn
On 08/10/2021 16:41, Robert Kudyba wrote:
I've noticed that I have a number of slow distributed attacks
happening on my server which evade fail2ban by using a pool of IP
addresses.
I've been looking at the sqlite db and it looks like the data field
in the bips table can
On 28/09/2021 20:18, Frederic Jean wrote:
On 28-09-21 03:21:45, "Nick Howitt" <mailto:n...@howitts.co.uk>> wrote:
On 28/09/2021 03:32, Frederic Jean wrote:
Hello community,
I have changed the iptables->actionban so that it runs a script
instead of the iptables comma
On 28/09/2021 03:32, Frederic Jean wrote:
Hello community,
I have changed the iptables->actionban so that it runs a script instead
of the iptables command directly.
The other actions remained unchanged; I needed to do this as there are
further checks and actions I need to
do before
On 02/09/2021 07:19, Tim Boneko via Fail2ban-users wrote:
Hello!
A few days ago my home router got banned by my web server for
repeated offenses that are not to be found in the (server) logs.
A few examples:
2021-08-30 14:21:02,441 fail2ban.filter [27785]: INFO
[apache-badbots]
On 17/08/2021 05:53, Allan Wind wrote:
On 2021-08-16T16:58:46, Allan Wind wrote:
2021-08-16T04:10:35.924+00:00 pawan sshd[424228]: error:
kex_exchange_identification: Connection closed by remote host
2021-08-16T04:10:35.924+00:00 pawan sshd[424228]: Connection closed by
205.185.113.128 port
On 12/08/2021 22:58, Alain D D Williams wrote:
On Thu, Aug 12, 2021 at 09:25:57PM +0100, Nick Howitt wrote:
On 12/08/2021 20:37, Alain D D Williams wrote:
Hi,
I have just installed fail2ban on a Debian 10 box. This has my own hand-written
iptables firewall and I have changed it to call
On 12/08/2021 20:37, Alain D D Williams wrote:
Hi,
I have just installed fail2ban on a Debian 10 box. This has my own hand-written
iptables firewall and I have changed it to call f2b-sshd at an appropriate
point.
However I notice that at the top of the INPUT chain this now exists:
On 17/07/2021 20:17, Alex wrote:
I see several SASL entries in there already, but none appear to match:
mdpr-auth = warning:
mdre-auth = ^[^[]*\[\]%(_port)s: SASL
((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?!
Connection lost to authentication server| Invalid
On 17/07/2021 05:50, Jobst Schmalenbach wrote:
Hi
Overall my fail2ban and sendmail-auth works as expected.
However, I have a problem with *SOME* of my users, they authenticate,
can send the email and then are put in jail.
The rule that is triggered is the "(may be forged)" as some of the
On 16/07/2021 06:23, Dominic Raferd wrote:
On 16/07/2021 03:06, Alex wrote:
Hi,
I'm trying to use fail2ban with iptables because it's what I'm most
comfortable using and this is on a real server with an extensive list
of rules, not a home desktop.
I have the following in my
On 16/07/2021 01:00, James Moe via Fail2ban-users wrote:
On 7/13/21 11:59 AM, Nick Howitt wrote:
Suricata is a Snort alternative. If it is anything like Snort, it can be
configured to be inside or outside the firewall. In ClearOS, it is
outside the firewall but I assume for other distros
On 13/07/2021 19:25, James Moe via Fail2ban-users wrote:
On 7/13/21 12:34 AM, Tom Hendrikx wrote:
Please post full configuration if you're not sure what to look for. I
have no idea what 'suricata' is though
Suricata is an Intrusion Detection/Prevention Software.
Suricata is a Snort
It can also happen if you are detecting responses, e.g. with SMTP, if
you are detecting messages like "Lost connection from " messages
these can apear up to about 3 minutes after the initial contact was made
so, for example if someone makes 10 connection attempts which get lost,
your ban
I am running F2b v0.11.1 from EPEL on ClearOS 7 (binary compatible with
Centos7). Every time I start f2b I see the following in my logs:
2021-07-09 07:18:48,499 fail2ban.filtersystemd [5101]: INFO [postfix]
Added journal match for: '_SYSTEMD_UNIT=postfix.service'
2021-07-09 07:18:48,505
I had a thread in April
(https://www.mail-archive.com/fail2ban-users@lists.sourceforge.net/msg02953.html)
about using my own variable and then incorporating it into the ignoreip
line as I could then maintain it programmatically for my distro, but it
seems not to be working.
In my jail.local
On 28/06/2021 15:44, Robert Kudyba wrote:
On 28/06/2021 02:27, Robert Kudyba wrote:
> from /etc/fail2ban/filter.d/apache-nohome.conf (note the awkward
English
> in the description)
>
> # Fail2Ban filter to web requests for home directories on Apache
servers
>
On 28/06/2021 02:27, Robert Kudyba wrote:
from /etc/fail2ban/filter.d/apache-nohome.conf (note the awkward English
in the description)
# Fail2Ban filter to web requests for home directories on Apache servers
# Regex to match failures to find a home directory on a server, which
# became
On 18/06/2021 07:18, Thomas Trueten via Fail2ban-users wrote:
Hello James,
last posting was at 17.05.21, 08:20.
Am 17.06.21 um 23:17 schrieb James Moe via Fail2ban-users:
Helloo,
There has been no activity for weeks.
- Is the list still active?
- Has the list moved elsewhere?
AFAIK
On 16/05/2021 11:30, Dominic Raferd wrote:
On 16/05/2021 10:55, Nicolas Kovacs wrote:
Hi,
One of my mail servers is running Oracle Linux 7 (a RHEL clone like
CentOS).
These last days it's been under heavy attack, and Postfix was brought
to its
knees a few times.
Up until now I only used
On 09/05/2021 09:52, Kenneth Porter wrote:
On 5/9/2021 1:17 AM, Nick Howitt wrote:
I seem to remember perhaps "chain" was not specified and there may
have been something else.
chain defaults to INPUT in /etc/fail2ban/action.d/iptables-common.conf.
Before I switched to
On 08/05/2021 23:08, Dan Egli wrote:
On 5/8/2021 2:52 PM, Nick Howitt wrote:
Snipping as the first attempt to reply got spammed by sourceforge.
Hint. Try grepping your log for ERROR.
Okay. I did that. The result was I got a lot of errors, all the same
thing, but they don't make sense
On 08/05/2021 22:52, asdffdsa6132 via Fail2ban-users wrote:
hello and thanks, i could not find my answer at the website.
i want to test fail2ban to protect my openvpn server on opnsense.
and i am concerned that i will make some major mistake and lock myself out.
so how can i configre
Snipping as the first attempt to reply got spammed by sourceforge.
Hint. Try grepping your log for ERROR.
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
On 08/05/2021 20:22, Dan Egli wrote:
On 5/8/2021 12:36 PM, Nick Howitt wrote:
On 08/05/2021 19:03, Dan Egli wrote:
Okay, something is up here. I'm still getting hammered by these
idiots who are querying pizzaseo.com from my name server. So I looked
at the list of banned IPs using iptables
On 08/05/2021 19:03, Dan Egli wrote:
Okay, something is up here. I'm still getting hammered by these idiots
who are querying pizzaseo.com from my name server. So I looked at the
list of banned IPs using iptables-save. Not that many. But when I was
working on this I had a kludge script that
On 08/05/2021 10:33, Dan Egli wrote:
On 5/8/2021 2:55 AM, Nick Howitt wrote:
On 08/05/2021 09:39, Dan Egli wrote:
On 5/8/2021 2:13 AM, Nick Howitt wrote:
Looking at the output, I think you've quoted the regex in your
/root/test.conf as the "failrexex =" line is different in your
On 08/05/2021 09:55, Nick Howitt wrote:
On 08/05/2021 09:39, Dan Egli wrote:
On 5/8/2021 2:13 AM, Nick Howitt wrote:
Looking at the output, I think you've quoted the regex in your
/root/test.conf as the "failrexex =" line is different in your two
tests. Remove the quoting.
On 08/05/2021 09:39, Dan Egli wrote:
On 5/8/2021 2:13 AM, Nick Howitt wrote:
Looking at the output, I think you've quoted the regex in your
/root/test.conf as the "failrexex =" line is different in your two
tests. Remove the quoting.
If only it were that simple. The file is
On 08/05/2021 02:44, Dan Egli wrote:
Okay, I'm ready to scream here. No matter what pattern I try, if it's in
a file for fail2ban, the regex is missed. BUT if I take the EXACT SAME
REGEX and use it on the command line, it matches every time!! What's the
deal? Here's an example.
Log is 500
On 07/05/2021 10:59, Dan Egli wrote:
On 5/7/2021 2:46 AM, Nick Howitt wrote:
Also, try starting small with something like:
".*.*denied"
I tried that just now, fails in the file, fails on the command line.
# fail2ban-regex "07-May-2021 03:22:16.413 securit
On 07/05/2021 09:17, Dan Egli wrote:
On 5/7/2021 1:33 AM, Nick Howitt wrote:
On 07/05/2021 07:57, Iosif Fettich wrote:
Hi there,
the number after the # can change, obviously. I tried this, but
fail2ban-regex said it missed:
"security: info: client @0x.* #.* (.*): query (
On 07/05/2021 07:57, Iosif Fettich wrote:
Hi there,
the number after the # can change, obviously. I tried this, but
fail2ban-regex said it missed:
"security: info: client @0x.* #.* (.*): query (cache) .* denied"
So, how would I correct this regex so that it sees this 177.237.40.218
On 04/05/2021 13:39, miner1...@gmail.com wrote:
Many thanks for the reply – unfortunately it did not work, looks like I
will have to look for another log file with a date in it::
Results
===
Failregex: 0 total
|- #) [# of hits] regular expression
| 1) [0] ^.* 401 POST .*. \(\)
On 04/05/2021 12:27, miner1...@gmail.com wrote:
Good day,
Hope you guys are doing well!
I’ve been trying for a while now to get the correct failregex for the
log entry below to ban the IP (192.168.1.141) without any success. The
log is produced by Jupyter notebooks via the “jupyter
On 04/05/2021 00:07, Kenneth Porter wrote:
--On Monday, May 03, 2021 5:15 PM -0400 Clive Jacques
wrote:
Fail2ban should be more
explicit in that it doesn't kill existing connections, only new ones.
And
you kind of think it would ban existing connections.
That's not really
On 03/05/2021 07:49, Nick Howitt wrote:
On 03/05/2021 01:57, Kenneth Porter wrote:
--On Sunday, May 02, 2021 6:57 PM -0400 Clive Jacques
wrote:
fail2ban notices the failures and
bans the offending IP in sendmail-reject and shortly thereafter in
recidive, but the established connection
I think you have to use "conntrack" to dump existing connections from
the firewall.
On 03/05/2021 01:57, Kenneth Porter wrote:
--On Sunday, May 02, 2021 6:57 PM -0400 Clive Jacques
wrote:
fail2ban notices the failures and
bans the offending IP in sendmail-reject and shortly thereafter in
On 30/04/2021 10:18, Dominic Raferd wrote:
On 30/04/2021 08:38, Nick Howitt wrote:
Hi,
Can I define and use my own variable in the jail.local file? My use
case is to programmatically whitelist the local LAN in a package for
all users of ClearOS (like Centos7). It would be something I'd
Hi,
Can I define and use my own variable in the jail.local file? My use case
is to programmatically whitelist the local LAN in a package for all
users of ClearOS (like Centos7). It would be something I'd like to be
able to toggle on an off subject to the user preferences and I'd want
On 08/03/2021 00:28, Phillip Carroll wrote:
I have been using fail2ban on CentOS 7 to block hosts (using an IPSET)
based on filters that watch the exim reject log.
I also run the csf/lfd firewall on the same server, which also manages
several block lists using IPSET.
These two packages
On 21/01/2021 23:57, Sam Przyswa wrote:
Hi,
When I modify one of the configuration files in / etc / fail2ban the log
level changes and becomes very verbose, currently I modify the
configuration with fail2ban-client but on restart I lose all the
configuration.
How to do ?
Sam.
The log
newideatest.site)
| 2021-01-16 18:58:06.493 fixed_login_exim4u authenticator
failed for (localhost) [45.142.120.121] I=[209.141.58.25]:587:
535 Incorrect authentication data (set_id=stagiaire)
On 1/17/2021 2:27 AM, Nick Howitt wrote:
Shouldn't it be "\[\] and not just ""?
On 17/01/2021 02:15, Dan Egli wrote:
Hey
people, I don't know what's going on with F2B lately, but it seems
to be completely ignoring anything happing with exim. Even
fail2ban-regex won't pick anything up, and I
On 15/01/2021 06:28, Mike wrote:
There's a companion system to Fail2Ban that I'm using. I thought I
might share my most recent stats on this with the community. This uses
ipset and iptables like f2b does, but serves as a first line of
defence before fail2ban.. After using this for 6+
They are very different tools.
Snort is a packet inspection tool looking straight at the stream of
packets (both incoming and outgoing). It can be configured to sit
inside or outside the firewall (if it is outside it will track
traffic which could still be blocked
On 11/11/2020 03:00, Kenneth Porter wrote:
--On Tuesday, November 10, 2020 9:48 AM -0500 Robert Kudyba
wrote:
Here's another useful resource: https://iptoasn.com/
Any idea how to download the list and update /etc/hosts on a regular
basis?
I don't, but haven't messed with it much. I
On 27/09/2020 16:20, Chris Green wrote:
On Sun, Sep 27, 2020 at 04:44:09PM +0200, Tom Hendrikx wrote:
On 26-09-2020 23:29, Chris Green wrote:
I have just installed fail2ban on a virtual server I run on Gandi
Internet in France.
The virtual server runs Ubuntu 8.04.5 LTS and I installed
On 27/09/2020 09:30, Chris Green wrote:
On Sun, Sep 27, 2020 at 08:47:59AM +0100, Nick Howitt wrote:
On 26/09/2020 22:29, Chris Green wrote:
2020-09-26 16:24:54,531 fail2ban.utils [1563]: ERROR 7f20226c35e0 --
stderr: 'modprobe: FATAL: Module ip_tables not found in directory
On 26/09/2020 22:29, Chris Green wrote:
2020-09-26 16:24:54,531 fail2ban.utils [1563]: ERROR 7f20226c35e0 -- stderr: 'modprobe: FATAL: Module ip_tables not found in directory /lib/modules/3.10.107-xenU-36-37a7b05-x86_64'
This is you problem. Are you using
On 21/09/2020 17:36, Mike wrote:
At 11:12 AM 9/21/2020, Kenneth Porter wrote:
--On Sunday, September 20, 2020 10:23 PM -0500 Mike wrote:
I updated one of my CentOS 7 servers to Fail2ban 0.11.1-9.el7.2
fail2ban-0.11.1-10.el7.noarch is working fine for me on CentOS
7.8.2003. I can list
I have just upgraded from 0.10.x to 0.11.1 using EPEL's f2b package. I
had my own jail with bantime set to 2147483 for an
iptables-ipset-proto6.conf type of action. My only modification to the
original iptables-ipset-proto6.conf is to add a /24 after the in
the actionban to block a subnet, so
= auth3
Have fun...
On Jul 6, 2020, at 2:18 AM, Nick Howitt
<n...@howitts.co.uk>
On 06/07/2020 09:41, Graham wrote:
On Mon, 6 Jul 2020, Antonio Leding wrote:
Date: Mon, 6 Jul 2020 04:38:14
From: Antonio Leding
To: fail2ban-users@lists.sourceforge.net
Subject: [Fail2ban-users] Parsing "Invalid authentication mechanism" in
postfix
I have a Postfix + fail2ban
As I don't open SSH any more, I don't see the issue, but there was one
notorious Chinese subnet which did this. The best thing to do is just to
permanently block the whole subnet in your firewall.
I do subnet blocks for one rule in a postfix filter as no one should be
sending mail from a
-I -p -m multiport
--dports -m set --match-set src -j
42c42
< actionstop = -D -m set --match-set src -j
---
> actionstop = -D -p -m multiport
--dports -m set --match-set src -j
So why does one work and not the other?
Yours, truly puzzled.
On 27/05/2020 21:32, Nick Howit
antime = 600 <-- this default is used if not on the invocation line*
ipmset* = f2b-<*name*>
You pass the in the invocation [...,bantime=86400].
is created in the [Init] section with the ipmset =
from the passed argument. Fail2ban supplies .
Bill
On 5/27/2020 11:41 AM, Nick Howitt wrote:
Hell
t* timeout. Look at the actual entry. It
should be counting down
between the two ipset commands.
ipset -L | grep -e Name -e 8.8.8.8
Where 8.8.8.8 is the actual IP address.
Bill
On 5/26/2020 9:52 AM, Nick Howitt wrote:
I've just noticed that the sshd jail is not using the bantime set in
a configl
I've just noticed that the sshd jail is not using the bantime set in a
configlet in /etc/fail2ban/jail.d:
[sshd]
enabled = true
bantime = 86400
action = iptables-ipset-proto6-allports[name=sshd]
[root@dynamicvpn ~]# ipset list f2b-sshd -terse
Name: f2b-sshd
Type: hash:ip
Revision: 4
Header:
t6', '6']]]
['start', 'sshd']
['start', 'postfix']
Many thanks for your time and help.
Best regards
Horst
Am 22.05.2020 um 09:27 schrieb Nick
Howitt:
Why not start with the mdre-auth2 filter in
Replying to list this time.
Why not start with the mdre-auth2 filter in the postfix.conf jail. I
think it is one character out from what you want. You could create
filter.d/postfix.local to override the line. See further down the file
for how to activate the different modes.
Nick
On
I don't use fedora and still have iptables, but afaik ipset is way
more efficient at blocking big lists that individual per-IP firewall
rules. The action I end up with is
iptables-ipset-proto6-allports.conf. All ports is used as it covers
you changing ports. Also I run
On 02/04/2020 02:01, Kenneth Porter wrote:
On 4/1/2020 5:44 PM, Harrison Johnson wrote:
This keeps me slightly ahead of the asshats.
https://www.ip2location.com/free/visitor-blocker
That's quite cool. With a little work the CIDR format could be
converted to an ipsets file for firewalld or
yne Sallee
wa...@waynesallee.com
http://www.WayneSallee.com
Original Message
*Subject: * [Fail2ban-users] sshd-ddos jail query
*From: * Nick Howitt
*To: * Fail2ban-users
I've been running with a couple of jails for a while now, sshd and
sshd-ddos. Upgrading to 0.10.5 and sshd-ddos no longer exists, but is
part of the sshd jail. I am unclear on how the filtering is working as
it is getting more and more complex. If I set "mode = ddos" in the sshd
jail does it
On 21/02/2020 20:23, Gary Gapinski via Fail2ban-users wrote:
On 2/21/20 1:21 PM, Gary Gapinski via Fail2ban-users wrote:
I had not previously noticed "lost connection after _UNKNOWN_…" but
will add that as well as the companion regex for the disconnect.
Feb 11 12:17:39 mail
On 21/02/2020 20:23, Gary Gapinski via Fail2ban-users wrote:
On 2/21/20 1:21 PM, Gary Gapinski via Fail2ban-users wrote:
I had not previously noticed "lost connection after _UNKNOWN_…" but
will add that as well as the companion regex for the disconnect.
Feb 11 12:17:39 mail
That seems to be the wrong approach. If you don't want connections on
submission (port587), stop listening on it or close the external
firewall. If you are using it for your users, blocking more than one
attempt will limit how much your users can send emails through your server.
My own
I use postfix but my plan of attack is different. I only allow
authenticated logins on port 587 and block them on port 25. You have
to keep 25 open to receive mails from outside but the port now
becomes single purpose. Any legitimate relaying from the inside or
outside
On 28/08/2019 16:25, Mike wrote:
Correct me if I'm wrong, but one issue with using RBL data in iptables
is that you can't get an indication of rejections right?
With my RBL, I send an error message to any remote system they've been
blocked, with instructions on how to petition to be
On 28/08/2019 11:21, Dominic Raferd wrote:
On Wed, 28 Aug 2019 at 08:35, Nick Howitt <mailto:n...@howitts.co.uk>> wrote:
One thing I'd like to get hold of is a reliable list of all
dynamic IP's
as used by some of the email RBL's.
I use fqrdns
https://github.com/ste
r transient blocking and determining its own block rules.
One thing I'd like to get hold of is a reliable list of all dynamic IP's
as used by some of the email RBL's.
At 04:08 PM 8/27/2019, Kenneth Porter wrote:
--On Tuesday, August 27, 2019 10:37 AM +0100 Nick Howitt
wrote:
FWIW if you are
On 27/08/2019 22:27, Nick Howitt wrote:
On 27/08/2019 22:08, Kenneth Porter wrote:
--On Tuesday, August 27, 2019 10:37 AM +0100 Nick Howitt
wrote:
FWIW if you are trying to block all non-US, I would expect it would
be a
lot more efficient to generate a US only list then block all
On 27/08/2019 22:08, Kenneth Porter wrote:
--On Tuesday, August 27, 2019 10:37 AM +0100 Nick Howitt
wrote:
FWIW if you are trying to block all non-US, I would expect it would be a
lot more efficient to generate a US only list then block all on no match
with the following in your iptables
I also used to use ipdeny for a block list until they went down or, at
least, served rubbish for a while last year. I did write a python
program to do it all. It also consolidated the subnets where possible to
make the list shorter. Just as I finished to program the site started
serving
1 - 100 of 184 matches
Mail list logo