| SYSTEM INFORMATION||
Operating system | CentOS Linux 7.9.2009 |
---|---|
Webmin version | 1.994 |
Usermin version | 1.840 |
Virtualmin version | 7.1 |
Hi All,
I have been trying to harden the servers and have been working on the GPL one before copying the same actions to a PRO.
I have been working on Fail2ban editing the rules and have come across a question that seems to have various answers on the web so I think it would be a good idea to ask here for a definitive answer. Of course, if my understanding is wrong I would appreciate any “education” that you might feel worthy of your time.
My ideal would be for bad actors to be banned from ANY connection to this server no matter what their initial attempt was. So, if someone tries to login to, for example, FTP and gets banned by Fail2ban they are banned from ALL services.
If I go to firewalld and click “List FirewallD Rules” I get the expected list but I notice the following
Rich IPv4 163.177.9.151 Input Reject rule family="ipv4" source address="163.177.9.151" port port="ssh" protocol="tcp" reject type="icmp-port-unreachable"
That rule was added by Fail2ban as a result of attempted SSH login.
But I also notice this group
|Rich |IPv4 |141.98.10.203 |Input |Reject |rule family=ipv4 source address=141.98.10.203 port port=465 protocol=tcp reject type=icmp-port-unreachable|
|Rich |IPv4 |141.98.10.203 |Input |Reject |rule family=ipv4 source address=141.98.10.203 port port=imap protocol=tcp reject type=icmp-port-unreachable|
|Rich |IPv4 |141.98.10.203 |Input |Reject |rule family=ipv4 source address=141.98.10.203 port port=imaps protocol=tcp reject type=icmp-port-unreachable|
|Rich |IPv4 |141.98.10.203 |Input |Reject |rule family=ipv4 source address=141.98.10.203 port port=pop3 protocol=tcp reject type=icmp-port-unreachable|
|Rich |IPv4 |141.98.10.203 |Input |Reject |rule family=ipv4 source address=141.98.10.203 port port=pop3s protocol=tcp reject type=icmp-port-unreachable|
|Rich |IPv4 |141.98.10.203 |Input |Reject |rule family=ipv4 source address=141.98.10.203 port port=smtp protocol=tcp reject type=icmp-port-unreachable|
|Rich |IPv4 |141.98.10.203 |Input |Reject |rule family=ipv4 source address=141.98.10.203 port port=submission protocol=tcp reject type=icmp-port-unreachable |
That rule appears to be an attempt at postfix-sasl.
Here are the relevant sections from /etc/fail2ban/jail.conf
[sshd]
port = ssh
logpath = /var/log/secure
backend = %(sshd_backend)s
and
[postfix-sasl]
filter = postfix[mode=auth]
port = smtp,465,submission,imap,imaps,pop3,pop3s
logpath = /var/log/maillog
backend = %(postfix_backend)s
Here are the relevant sections from /etc/fail2ban/jail.local
[sshd]
enabled = true
ignoreip = xxx.xxx.xxx.xxx 127.0.0.1
maxretry = 2
findtime = 300
bantime = 1w
and
[postfix-sasl]
enabled = true
ignoreip = xxx.xxx.xxx.xxx
maxretry = 3
findtime = 86400
bantime = 1w
Since I would like to block ALL attempts from an IP number when failing is the above what I sould expect?
Should the ports mentioned in the rules be something like “port=all” or port=“0-65535” ?
Thanks for reading.
Tim