I have my doubts about Fail2Ban being able to do that directly, but I've
done something along those lines with OpenVPN tunnel connections.
When an OpenVPN tunnel is established it is possible to run a script on
the server side, you could for example send an email notifying someone
that a VPN has connected. What I did is write a script that was run on a
successful VPN connection and the script will use the public IP for the
VPN and add it to the fail2ban ignoreip line in jail.local, using sed,
and keep a record of he addition so that in a week or so the IP is
removed from the ignoreip line and issue a fail2ban reload. This stopped
fail2ban blocking the users who successfully authenticate their VPNs but
still block the other malicious attempts...
To do something similar for the mail server I think you'd need to have
the script run in cron every so often and parse your log files and build
your criteria and if it passes then add the IP to the ignoreip, but
again you should keep track of the additions so they can be cleaned out
after a given time...
Regards
------------------------
Rhys McWilliams
Mobile: +27 82 335-5014
http://www.castlehill.co.za
On 2020/09/09 14:49, [email protected] wrote:
Hi All
I am trying to setup Fail2Ban type functionality for a mail server.
The object is to block 1000's of BOTS that try dictionary attacks or
have lists of previously compromised accounts (which now have new
passwords).
But I do not want to accidentally block bona fida IP addresses, like a
company's office router, which supports many valid users, even if one
or two users have bad passwords.
For example if someone enters their password incorrectly and their
mail program retries a number of times, their IP will get blocked. If
they are connecting from an office environment then all of their
colleagues who share the same public IP address will also get blocked.
This is not acceptable.
So the functionality we are looking for is:
- when we log a valid login, we "whitelist" that IP for a period.
- when we log a number of invalid logins in a given period, we jail it
for a jail period, as per the normal fail2ban rules. Provided that IP
is not already whitelisted.
One way to implement the above is to count the valid logins, per IP,
and subtract the invalid logins, per IP. We can stop counting when we
reach a maximum (say 10), but if it goes down to say, negative 3, we
jail the IP. On un-jailing we reset the counter. This way an IP that
supports a group of bona-fida users should never get jailed, but the
bots will get detected and blocked.
I have looked through the documentation I can't see an obvious way of
doing this with fail2ban. Has anybody implemented anything like this
before?
Thanks
Ian
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
