What would you suggest to stop them.
Here is what I do try, any maybe you can tell if that’s a good Idea or if there are better ones:
I’ve opened the existing /etc/fail2ban/filter.d/proftpd.conf configfile and removed the first line of the failregex to put it in a seperated filter (to be able to set other ban-times.
I’ve created a new filter named proftp_noSuchUser (/etc/fail2ban/filter.d/proftp_NoSuchUser.conf) and put in there the same as in proftpd.conf, but for failregex only the first line (which was removed from proftp)
Then I’ve created a new jail which check for the last 3,5 hours, if there are more then 9 attempts with a wrong username from the same ip, and if, I ban it for a month.
Webmin - leak of information
Unfortunately it’s not clear, what kind of inputs are possible for the values. Must I write it in seconds (as fail2ban generally use it that way), can I use 10m for 10 Minutes, or 10d for days?
Yep, unless your password is 12345678 or password, I don’t think you should concern yourself overly with three attempts per hour.
If you were to make fail2ban that aggressive, you’re going to lock yourself out, I guarantee it. (Unless you always use key-based logins, which is recommended if you have that ability, and don’t need to allow password logins at all…in which case you could disable passwords.)
I offer this in case anyone else arrives here with a similar question.
I agree that a slow attack like this is unlikely to yield any results for the attacker but I pay close attention to the logwatch reports that arrive daily and a number of slow attacks like this make it more difficult to see other information that might be important because of the “noise”. So for what it is worth, this is what I do. If nothing else it gives me some more peace of mind.
I make use of the recidive filter but because I don’t want to give genuine users more trouble I have set the criteria to figures that are unlikely to catch a real user like - matches 100 in 10 minutes before ban but the ban time to 2 months.
Then, when I find an offending IP number I run “fail2ban-client set recidive banip 111.222.333.444” (obviously IP number to ban). That works a treat and I have reduced the offenders to very few. Now my logwatch report is very clean.
Hope that helps someone.
PS. I have only ever found attackers using the full email address as a username, I use an alternative pattern which is available to be set using the Vmin interface.