On 18 Oct 2016, at 21:00, vod vos wrote:
So, how to block this kind of ips?
Does fail2ban work?
Yes, but as Sebastian said, it is possible for fail2ban to block
innocent users, particularly those SSL errors, which essentially amount
to connections that were never fully initiated. That's why fail2ban is
usually set to require multiple matches on a log pattern in a short time
to ban an IP and only bans an IP temporarily. How much risk that
represents for any particular system is impossible to know without
knowing how the system is used and configured. For example, I do not
advertise AUTH in my port 25 smtpd because everything that might need to
relay though that system will use the port 587 smtpd, configured to
handle initial message submission. As a result, I can be absolutely
certain that anything trying to do AUTH on the port 25 service is a bad
actor of some sort, using very stupid software. I use something very
much like fail2ban in principle (but much smaller) to immediately block
any IP in a line from the port25 smtpd that includes 'auth=0/'
(indicating an auth failure. I do a similar thing with Dovecot, but ONLY
for clear authentication failures, not for the sort of SSL initiation
failures you are seeing. I can do this because I know my user base on
that system, which is small and stable, and it has nevef banned anyone
it should not have. On systems that I manage where the user bases are
larger and more prone to using bad software, configuring their software
poorly, or stubbornly mis-remembering a password, I have to take a more
lenient, fail2ban-like approach: multiple failures within a few minutes
triggers a block lasting less than an hour.
