From: Nick J. <ni...@cr...> - 2008-12-23 13:32:04
|
Hello All, I love the fail2ban script, and it's been running for about a year now on my RHEL5 system with no problems. However recently (the past few weeks) I've noticed a huge increase in the number of failure attempts on my postfix mail server. Constant attacks from various IPs (note, we do not host mail for a large number of people, just about 7-8 people). I get a notice everytime an IP is banned/unbanned, mostly the attacker is varying the IPs, but some are re-occurring. It's been going on now, non-stop for over 3 weeks. Fail2ban bans the IP for 5 minutes, after 10 unsuccessful attempts I've been trying to change these settings, I'd like to make them much more strict, but no matter what changes I make to the /etc/fail2ban.conf it doesn't seem to have any effect on the behavior. I've also tried manually adding some of the more frequently re-occurring IPs to /etc/hosts.deny but this doesn't seem to have any effect either. It seems like nothing I do changes the behavior. Here's what I have changed in the /etc/fail2ban.conf maxfailures = 3 bantime = 93600 Still though, IPs are banned after 10 failures and only for 5 min. Any help would be greatly appreciated, not just in regards to figuring out why my config seems to be ignored, but also any general tips on ways I can at least slow down this attack. Thanks in advance! -Nick |
From: René B. <rb...@ca...> - 2008-12-23 17:28:57
|
Nick Jennings wrote: > I love the fail2ban script, and it's been running for about a year now > on my RHEL5 system with no problems. However recently (the past few > weeks) I've noticed a huge increase in the number of failure attempts on > my postfix mail server. Constant attacks from various IPs (note, we do > not host mail for a large number of people, just about 7-8 people). > > I get a notice everytime an IP is banned/unbanned, mostly the attacker > is varying the IPs, but some are re-occurring. It's been going on now, > non-stop for over 3 weeks. Fail2ban bans the IP for 5 minutes, after 10 > unsuccessful attempts > > I've been trying to change these settings, I'd like to make them much > more strict, but no matter what changes I make to the /etc/fail2ban.conf > it doesn't seem to have any effect on the behavior. I've also tried > manually adding some of the more frequently re-occurring IPs to > /etc/hosts.deny but this doesn't seem to have any effect either. It > seems like nothing I do changes the behavior. > > Here's what I have changed in the /etc/fail2ban.conf > maxfailures = 3 > bantime = 93600 > > Still though, IPs are banned after 10 failures and only for 5 min. Each jail can set its own parameters, so instead of changing fail2ban.conf you should change jail.conf or, better, local.conf . > Any help would be greatly appreciated, not just in regards to figuring > out why my config seems to be ignored, but also any general tips on ways > I can at least slow down this attack. I'm not sure if I understood correctly, you say that even when you add manually some IPs to hosts.deny they are allowed? That would mean that your postfix was not built with tcp_wrapper support, but you might still have the choice of using the firewall (not hosts.deny but iptables if that comes with Red Hat) by configuring fail2ban to use it (i.e. a different jail). -- René Berber |