Eric Shubert wrote: > I honestly don't understand fail2ban in any detail. I wonder though, if > perhaps it's set up such that if someone's authentication fails, then it > changes iptables such that nobody can attempt to authenticate any more > (like blocking port 587 for any address). That'd be pretty bad. :(
If you get a certain number of failed authentications from a particular IP (usually 3 or 4), it will use iptables to ban that IP from connecting to the port in question. So 'nobody' means 'nobody at that IP', not 'nobody in the world'. Incidentally, when I got tired of grinders trying to guess passwords on my toaster, I banned a bunch of Chinese class C's (banning a surprisingly small number took care of most of the attempts I was seeing) and added a fail2ban filter that does an insta-kill (1 attempt is enough to invoke the rule) on anything that tries to authenticate with a username that doesn't include a domain name. That's been pretty effective. Angus --------------------------------------------------------------------- To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
