> On 3 Apr 2019, at 9:45 am, Curtis Maurand <cur...@maurand.com > <mailto:cur...@maurand.com>> wrote: > > > > On 4/2/19 5:39 PM, @lbutlr wrote: >> On 2 Apr 2019, at 14:30, Esteban L <este...@little-beak.com >> <mailto:este...@little-beak.com>> wrote: >>> The times are in seconds, so you'll need to calculate those times. >> a month is 2629743 seconds. An hour, of course is 3600, but I prefer 86400 >> which is one day. >> >> BTW, pi seconds is very close to 1 nano century. >> >> > I agree with @ibutr that 86400 is a good number. Now to find the where to > change the iptables rule to "-j DROP" > > I like to just silently drop the connection. It becomes a sort of reverse DOS > in that they keep opening sockets, but you're effectively not listening. > It's been very effective in my experience. To be sure, they will keep > changing sources once they realize the host is unreachable from any > particular source. If I end up blocking TOR or vpn users that are trying to > do nefarious things, then so be it. I don't need to waste CPU cycles sending > responses. fail2ban is a resource hog as it is. > > Cheers, > Curtis
Thanks all for your replies. Increasing both Ban time and Find time are good and I’ll do that. Looking through the logs I can see some repeated IPs for IMAP failures, but over long times (eg maybe once or twice a day max). We have Stunnel receive the traffic on port 465 and 587 and forward on to 127.0.0.1 on port 25. So that is why I can’t write a Fail2ban rule for this log line: auth-worker(42777): Info: sql(cont...@com.au <mailto:cont...@com.au>,127.0.0.1): unknown user (given password: Password123) as it would ban localhost, not the original IP that Stunnel received. Thanks, James.