On 10/13/2021 7:30 AM, Yassine Chaouche wrote:
This seems to be an attempt to authenticate as an inexistant user and I think the IP sould be banned in this case.
Beware of situations where a legit user is mistyping his username. You might want to allow leniency for that.
The situation I see is obviously invalid usernames being tested by script kiddies, like "admin" or other default logins. I'd like a filter that can check against a list of bad names. I could list them in a regex but a more maintainable solution would be to reference a text file of common names that could be shared by several filters (eg. sendmail, postfix, sshd, and dovecot).
I've also been thinking about using a plugin for systems that allow that to watch for obviously bad usernames and invoke fail2ban-client to perma-ban those addresses. I might also add them to an ipset for direct ban by the underlying firewall.
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
