Fail2ban - is it safe to update to latest version?

Hi,
I am getting bruteforce login tries always from the same ip addresses.
Fail2ban is doing great job banning those ips but after bantime expires same addresses are trying again. I would like to increment ban time for these returning addresses.

Good resolution would be incrementing ban time introduced in fail2ban version 0.11.1
image
But latest fail2ban version used in webmin is Fail2Ban v0.10.2.

Question: is it safe to manually update fail2ban to the latest version to get these new features?

I am newbie and I’m not sure how config files with web based administration of 3rd party services work.

Thank you :slight_smile:

edit: I found good idea on how to increment ban time with existig version: https://blog.shanock.com/fail2ban-increased-ban-times-for-repeat-offenders/

0.11.* is at least for Debian still in testing. I would only recommend it if really necessary (upgrade to testing versions).
You can block the IP via the firewall too.

Thank you for reply. I understand and agree with your point of view - keep system stable.

I think I successfully managed to automatically block these ips with creating “loop” filters on the fail2ban.log file.

So far so good :slight_smile:

Have you enabled the recidive jail?
it can put in recidive, for a longer time, IP that are triggering any other jails for more than N times.
You can find it in the jails list.

I did not enable recidive jail. I did not even know it exists - thank you for poining it out :slight_smile: I looked at it and it analyzes fail2ban.log looking for bans(all services) and may ban ip for more time. But it does not increase ban time exponentially. It is very similar than [f2b-loop2] jail from my example.

Right now I am looking how to detect botnet attack with changing ips. Any ideas?
I’m getting failed attempts 45.143.223.12, 45.143.223.130, 45.143.223.20

What are the best practices for this situation? Better botnets may have totally different ip classes impossible to detect. Maybe integrating http://www.blocklist.de/ or something similar into system?

Are there any other ways to detect botnet?

change ban time to something like year… remember to restart f2b after changes. If that bruteforce persist for ssh connections just disable ssh login with password and use ssh keys. this will stop it right a way without f2b. Its safe to change ban time.

I have ssh just with pubkey auth enabled on different port.

Problematic are bruteforce attacks on “postfix-sasl” from whole ip subnet in intervals. No ip from attacker subnet hits my jail rule because 255 ips are changing all the time.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.