Re: [Assp-user] ASSP fail2ban
On a shared server, it is showing User unknown attempts for some 15 to 30 domains in thousands like 5000 to 1 from various IP source, which seems be using resources unnecessarily. Is there a way to configure assp to discard such attempts from any ips (if possible for 24 hours), if it repeats User unknown attempts for 3 times per IP ( maybe per hour or per day) in assp Expand the penaltybox section, set DoPenalty and DoPenaltyMessage to block, scroll down and set DoPenaltyMakeTraps to make traps and block them ensuring to also set the PenaltyMakeTraps to 10 or less (that's up to you); check the PenaltyUseNetblocks and, since you are at it, set the DoPenaltyExtremeSMTP to block that should be a decent startup, then you may play with some other settings in penaltybox, ip blocking, smtp session limits and more ... -- ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
Re: [Assp-user] ASSP fail2ban
Just set ValidateUserLog to nolog. That would just avoid logging not solve the issue on the other hand setting up ASSP to block those IPs after they get in penalty extreme would help sparing resources :) -- ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
Re: [Assp-user] ASSP fail2ban
GrayHat gray...@gmx.net schreibt: That would just avoid logging not solve the issue on the other hand setting up ASSP to block those IPs after they get in penalty extreme would help sparing resources :) That solves the issue because it is just psychological. I really doubt that blocking IPs in ASSP with penalty extreme would spare resources compared to invalid user. If you would log the IP blocking, it would also produce thousands of log entries. If not you would think, you spare. -- ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
Re: [Assp-user] ASSP fail2ban
On 2010-05-26 4:01 PM, Paul K. Dickson wrote: That's a really bad idea. ASSP already does that in a sense but is smart about it. Don't reinvent the wheel ;) Actually fail2ban rocks, and blocks these kinds of things at the firewall level, so is in that sense more secure. And it is pretty smart about it too - it can block for limited times, or permanently, based on what you tell it to do. No sense in bogging down ASSP any more than need be, especially on a busy server. -- Best regards, Charles -- ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
Re: [Assp-user] ASSP fail2ban
That solves the issue because it is just psychological. Uh ? I really doubt that blocking IPs in ASSP with penalty extreme would spare resources compared to invalid user. Yeah, sure, try getting some thousands attempts in a matter of seconds (which means some millions connections attempts on a typical day) and then come back and tell me that performing a straight reject didn't spare resources Oh well... no problem btw, you're free to handle your stuff as you prefer; all in all that's just me g -- ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
Re: [Assp-user] ASSP fail2ban
No sense in bogging down ASSP any more than need be, especially on a busy server. Sounds like Fritz doesn't agree; up to him, by the way, and really no problem with that; yet I think that, if *properly* set up, ASSP is perfectly able to deal with such an issue w/o having to recur to stuff like fail2ban -- ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
Re: [Assp-user] ASSP fail2ban
GrayHat gray...@gmx.net schreibt: Sounds like Fritz doesn't agree; up to him I explained quite a different thing. -- ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
Re: [Assp-user] ASSP fail2ban
GrayHat gray...@gmx.net schreibt: Yeah, sure, try getting some thousands attempts in a matter of seconds (which means some millions connections attempts on a typical day) and then come back and tell me that performing a straight reject didn't spare resources You block thousand attempts with one straight reject? At least in ASSP that is not possible, you need roughly the same number of rejects on the ip-level as you do with user invalid rejects. -- ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
Re: [Assp-user] ASSP fail2ban
That's a really bad idea. ASSP already does that in a sense but is smart about it. Don't reinvent the wheel ;) From: MadTh madan.feedb...@gmail.com Reply-To: For Users of ASSP assp-user@lists.sourceforge.net Date: Wed, 26 May 2010 21:48:54 +0200 To: assp-user@lists.sourceforge.net Subject: [Assp-user] ASSP fail2ban Hi, In http://www.fail2ban.org/wiki/index.php/ASSP, For following log: Example: Nov-14-09 00:14:50 54090-05322 201.244.255.72 bad...@gtgwhhrthrth.com [SMTP Error] 550 5.1.1 User unknown: your.u...@your-domain.com Assp fail regex is : failregex = .*? \d{5}-\d{5} HOST .*? \[SMTP Error\] (.*) Can you please advise fail regex for log pattern : May-12-10 13:16:41 82.249.21.94 user unknown te...@somedomain.com; where, fail2ban. will be able to get the IP from above log alert message, and then block it in IPtables. Thanks -- ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user -- ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
Re: [Assp-user] ASSP fail2ban
On a shared server, it is showing User unknown attempts for some 15 to 30 domains in thousands like 5000 to 1 from various IP source, which seems be using resources unnecessarily. Is there a way to configure assp to discard such attempts from any ips ( if possible for 24 hours), if it repeats User unknown attempts for 3 times per IP ( maybe per hour or per day) in assp Please adivse. On Wed, May 26, 2010 at 10:01 PM, Paul K. Dickson pdick...@frederickcountymd.gov wrote: That's a really bad idea. ASSP already does that in a sense but is smart about it. Don't reinvent the wheel ;) From: MadTh madan.feedb...@gmail.com Reply-To: For Users of ASSP assp-user@lists.sourceforge.net Date: Wed, 26 May 2010 21:48:54 +0200 To: assp-user@lists.sourceforge.net Subject: [Assp-user] ASSP fail2ban Hi, In http://www.fail2ban.org/wiki/index.php/ASSP, For following log: Example: Nov-14-09 00:14:50 54090-05322 201.244.255.72 bad...@gtgwhhrthrth.com [SMTP Error] 550 5.1.1 User unknown: your.u...@your-domain.com Assp fail regex is : failregex = .*? \d{5}-\d{5} HOST .*? \[SMTP Error\] (.*) Can you please advise fail regex for log pattern : May-12-10 13:16:41 82.249.21.94 user unknown te...@somedomain.com; where, fail2ban. will be able to get the IP from above log alert message, and then block it in IPtables. Thanks -- ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user -- ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user -- ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user