More than 3 years ago I installed a new Webmin/Virtualmin server. After few days I found some “already banned” ips in fail2ban.log. I had a very long thread about that issue with the app developer. I couldn’t solve the problem via iptables. I wrote a couple of scripts to block those ips via firewallD.
2 days ago I developed a new virtual host with Alma Linux 9 and a fresh install of Webmin Virtualmin.
Then I installed some software but I never change anything related to firewall and fail2ban setting by myself.
I got freezed when looking at fail2ban.log and found again some “Already banned”. If the ip has been banned it has access only when it is “unban”.
My knowledge on this matter is very poor so I don’t want to try anything.
Here are stuff I’ve done after Virtualmin install: Changed hostname, ssh port, php conf Install nano, mlocate, imagemagick, ksh, postfix-perl-scripts, exiftool, php-extensions, sphinx, phpMyadmin, trying to install Horde (pearl), Roundcube, phpMailer. Blocked some domains in named.conf
Thanks for help
Its always best practise to reduce the attack surface as much as possible, and this is done by limiting the exposure. If you have a proper firewall between you are the dirty side of the internet, limit access by country to just those of your customers. Most people want a fairly wide spread for http/https, but their mail customers are local(ish). For example, our mail is locked down to UK/Ireland and parts of the EU which knocks out all the crap coming from the east.
Second, analyse fail2ban logs and pic out the IP’s who just bang on week after week, get banned, unbanned and carry on. just block those permanently. You can do this automatically or manually, you’re choice here.
Finally, make sure you’ve got something watching the system like lynis + snort (as an example), then pay attention to any suspect activity. fail2ban is really just a script kiddy mitigation device, really doesn’t work great against proper bad actors. (imo).
Thanks for your tips.
I have a very long list of IPs I’ve already blocked in firewallD, that script I mentioned.
Many times it is not useful because of dynamic IP.
How do you limit access by country?
I have an old database, IP to country codes, I use in some php scripts
OK. Thinking about it, fail2ban has to read the auth attempt. I don’t know if it returns any information on fail. That would be bad. But port knocking is what you might be looking for. I found this. There are others.
I should of posted “It disables fail2ban and use iptables”
Strange I’m sure fail2ban was off last time i look but most of the banning is with IPTABLES.
I noticed the “start at boot” is enabled maybe it started after a reboot. I will investigate.
PCAP is packet capture. Think wire shark. It will show if the packet even gets an acknowledgment or if it is silently dropped. Given how old this technique is I’d be surprised if fail2ban isn’t just logging the attempts but doesn’t answer. But, that’s just a guess/assumption on my part.
The only way to avoid the knock is to have a firewall ahead of the machine. No way around that one.
I’ve toyed with the idea of setting up a vm for a firewall and then sharing the ban list from the hosting machine. That would stop the door knocks. The problem is that there is so much noise from the (fill_in_the_blank) that it makes finding stuff in the logs harder sometimes. Just no time right now.