I think it can be done with f2b if you use iptables but you'll have to
work out the details. You'd need to create some new actions which go
into a separate chain. You then have two separate jails. One jail does
standard blocks and one does the reverse, i.e you make your filter
detect successful login and have it trigger a ban rule. The trick is to
make the ban rule an ACCEPT rule and INSERT it into the chain. For the
standard blocks you make sure you APPEND your rule to the bottom of the
chain. This would also work with ipset blocks. The whole thing wold work
entirely in f2b without any scripting.
On 09/09/2020 20:14, Florian Ruhnke via Fail2ban-users wrote:
Hi,
what about a script that removes the failed IP from F2B's database when
a successful login is detected?
As Sergey Brester (contributor) wrote on github:
<quote>
Question: Also, is there a way of unmark an ip as being "bad"?
Answer: Manually unbanning does this (by removing from sqlite-database).
# everywhere (in all jails and database, >= v.0.10):
?sudo? fail2ban-client unban <IP> ... <IP>
# per jail (>= v.0.9)
?sudo? fail2ban-client set <JAIL> unbanip <IP>
</quote>
I think it would work when the script is triggered by an cronjob,
reading the logfile, and then sends the IPs that successful logged in to
the fail2ban-client.
Greetz
Florian
Am 09.09.2020 um 14:49 schrieb [email protected]:
Hi All
I am trying to setup Fail2Ban type functionality for a mail server.
The object is to block 1000's of BOTS that try dictionary attacks or
have lists of previously compromised accounts (which now have new
passwords).
But I do not want to accidentally block bona fida IP addresses, like a
company's office router, which supports many valid users, even if one
or two users have bad passwords.
For example if someone enters their password incorrectly and their
mail program retries a number of times, their IP will get blocked. If
they are connecting from an office environment then all of their
colleagues who share the same public IP address will also get blocked.
This is not acceptable.
So the functionality we are looking for is:
- when we log a valid login, we "whitelist" that IP for a period.
- when we log a number of invalid logins in a given period, we jail it
for a jail period, as per the normal fail2ban rules. Provided that IP
is not already whitelisted.
One way to implement the above is to count the valid logins, per IP,
and subtract the invalid logins, per IP. We can stop counting when we
reach a maximum (say 10), but if it goes down to say, negative 3, we
jail the IP. On un-jailing we reset the counter. This way an IP that
supports a group of bona-fida users should never get jailed, but the
bots will get detected and blocked.
I have looked through the documentation I can't see an obvious way of
doing this with fail2ban. Has anybody implemented anything like this
before?
Thanks
Ian
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
