On Thu, Jun 16, 2016 at 02:02:44PM +0200, Alfred Egger wrote:
Hello,I am running fail2ban on my servers to block unauthorized logins over SSH. Now the attackers try to use different usernames only once from the same IP. This looks like the following: 127.0.0.1 : 13 times aaron: 1 time admin: 1 time arbab: 1 time brody: 1 time db2inst1: 1 time frontrow: 1 time michael: 1 time openerp: 1 time openfiler: 1 time squid: 1 time support: 1 time webmaster: 1 time zachary: 1 time Is there a way to block these attacks using fail2ban? Currently I block 10 failed logins for five minutes, but this applies only to one username failing multiple logins.
You should be able to. Fail2ban counts a logfile line that matches a regex as being a "fail". Enough of those fails causes the IP to be banned. Typically, the regex won't care about the username being tried: "User .* from <HOST> not allowed", for example.
So, if one IP tries 10 different users in 5 minutes, they should get banned.
So, some other things to check:* Are the failures definitely frequent enough? Some attackers are now deliberately waiting for a while between attempts to try to avoid fail2ban. * Are the failures all from the same IP? Sophisticated attackers might be using a pool of IPs, and rotating through them. * Is your ban effective? Fail2ban will run a command to block the IP, but if the command is ineffective, fail2ban will log "already blocked" (which might occur if, for example, you're using the wrong ban action).
Thank you Alfred Egger ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. http://pubads.g.doubleclick.net/gampad/clk?id=1444514421&iu=/41014381 _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
-- For more information, please reread.
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. http://sdm.link/zohomanageengine
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
