Hi All
I am trying to setup Fail2Ban type functionality for a mail server. The
object is to block 1000's of BOTS that try dictionary attacks or have
lists of previously compromised accounts (which now have new passwords).
But I do not want to accidentally block bona fida IP addresses, like a
company's office router, which supports many valid users, even if one or
two users have bad passwords.
For example if someone enters their password incorrectly and their mail
program retries a number of times, their IP will get blocked. If they
are connecting from an office environment then all of their colleagues
who share the same public IP address will also get blocked. This is not
acceptable.
So the functionality we are looking for is:
- when we log a valid login, we "whitelist" that IP for a period.
- when we log a number of invalid logins in a given period, we jail it
for a jail period, as per the normal fail2ban rules. Provided that IP is
not already whitelisted.
One way to implement the above is to count the valid logins, per IP, and
subtract the invalid logins, per IP. We can stop counting when we reach
a maximum (say 10), but if it goes down to say, negative 3, we jail the
IP. On un-jailing we reset the counter. This way an IP that supports a
group of bona-fida users should never get jailed, but the bots will get
detected and blocked.
I have looked through the documentation I can't see an obvious way of
doing this with fail2ban. Has anybody implemented anything like this before?
Thanks
Ian
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
