Are the default Fail2ban settings enough? What are the reccomendations?

Ubuntu Linux 20.04.6 REQUIRED
Webmin version 2.021 REQUIRED

My webmin log has hundreds of entries like these:

1681426868.252354.0 [14/Apr/2023 05:01:08] root - global "failed" "-" "wrongpass"
1681426872.252357.0 [14/Apr/2023 05:01:12] root - global "failed" "-" "wrongpass"
1681426877.252360.0 [14/Apr/2023 05:01:17] root - global "failed" "-" "wrongpass"
1681426883.252363.0 [14/Apr/2023 05:01:23] root - global "failed" "-" "wrongpass"
1681430070.256274.0 [14/Apr/2023 05:54:30] root - global "failed" "-" "wrongpass"
1681430074.256277.0 [14/Apr/2023 05:54:34] root - global "failed" "-" "wrongpass"
1681430079.256282.0 [14/Apr/2023 05:54:39] root - global "failed" "-" "wrongpass"
1681430085.256299.0 [14/Apr/2023 05:54:45] root - global "failed" "-" "wrongpass"
1681430093.256302.0 [14/Apr/2023 05:54:53] root - global "failed" "-" "wrongpass"

I think fail2ban should take care of these. How can there be so many repeated attempts?

Fail2ban is set to start at boot, but I haven’t changed any of its configuration.
Is there anything the admin should do here?

For example, the webmin.auth Jail is active, but there is no “action” set:

Should I set one? Which?

Depends on what you want to do I tend to use all ports on the assumption that the failed user is up to no good

I like to enable [recidive] and shorten matches to 2. In my default config [recidive] is already set to banaction = %(banaction_allports)s so I don’t mind the jails that feed the log file having whatever ports they are default to. When I check the fail2ban log if someone is playing with lots of ports and an ip range it’s obvious and I’ll check their location and add a --permanent drop for that range to firewallid.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.