I posted in the past about this system called "Login-Shield" which
makes a great compliment to Fail2Ban. It uses the same system F2B
uses regarding IP blacklisting (ipset), but it encompasses a wider
net with more precise restrictions on specific login ports. This
SIGNIFICANTLY reduces the intrusions that F2B triggers on stuff like
ftp, ssh, pop3/imap login attemps and other areas. It doesn't block
mail, just login ports.
I'm now blocking, seriously 99% of most attack vectors before they
get to F2B with virtually no false positives. This is a very
specific, targeted system - check it out if you haven't:
https://github.com/dpsystems/login-shield
This is completely open source. Completely free.
But what I want to point out is that now there's another system by
the same author that he's been testing for about three years and has
finally made public, that does for the web what login-shield does for
login ports. It's called "Web-Shield" and it is another very
specifically targeted IPV4 blacklist (using CIDR ranges and not
individual IPs for much better performance). I'm unaware of Fail2Ban
being able to, for example, ban a class C or /22 or what may be
needed. This system pre-empts all that and just allows Fail2Ban to
deal with individual accounts of userspace shenanigans.
Check it out at:
https://github.com/dpsystems/web-shield
Both of these systems are a very simple set of shell scripts that use
ipset/iptables to wholesale block certain IP ranges of certain
ports. The blacklists are updated regularly and the dev responds to
all claims of false positives.
Web-shield is based on the premise that virtual servers/VPS/VPN/TOR
hosting platforms do not usually have a valid reason to be visiting
your server. If you're running legit apps that don't have a need for
server IP space hitting them, this is a very useful utility. It
won't affect any major search engines, but it does censor some of the
invasive web-spiders from the east that refuse to honor robots.txt or
private corporate spiders that are gathering data for who-knows-what purpose?
I've been running e-commerce systems for clients and have had to
routinely deal with systems probing for Wordpress/Drupal
vulnerabilities. This system stops more than 90% of that. I don't
have any reason for someone using a VPN to visit our server - almost
all VPN activity is script kiddies trying to brute force passwords
for Wordpress, IMAP, etc. This system basically says, "If you're not
a real person, or a legit search engine, you can't visit the web server."
Check it out and give the author feedback.
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
