On 08/10/2021 16:41, Robert Kudyba wrote:
I've noticed that I have a number of slow distributed attacks
happening on my server which evade fail2ban by using a pool of IP
addresses.
I've been looking at the sqlite db and it looks like the data field
in the bips table can ha
On 21/10/2021 21:53, Krzysztof Adamski wrote:
On Thu, 2021-10-21 at 11:38 -0400, Krzysztof Adamski wrote:
On Mon, 2021-10-18 at 10:20 -0700, James Moe via Fail2ban-users
wrote:
On 2021-10-18 07:39, Krzysztof Adamski wrote:
Oct 17 16:33:34 mailserver dovecot: auth-worker(41189): conn
unix:au
As I exclusively use ipset bans, until recently I've been able to get a
list of all bans for all jails by using an ipset command, 'ipset list -o
save | grep "add f2b"'. My report is now broken in 0.11.2 as all
timeouts get loaded as 0 (perma-bans but they do get unbanned by an
action-unban). Is
You need to specify somewhere in your regex, but make sure it
does not pick up your internal IP. Perhaps something like:
.*\[\]:\d+ \[.*EXIMSPAMASSASSINEXCESSIVEFAIL2BAN
On 02/12/2021 13:56, Steve Charmer wrote:
Hello,
I am running Fail2Ban Version 0.9.3 on Ubuntu 16.04.5 LTS (LOL)
In EXIM, I
On 02/12/2021 22:25, Steve Charmer wrote:
Thanks for your reply Nick.
However, I thought the host_info was a shortcut created by F2B,
in the file
/etc/fail2ban/filter.d/exim-common.conf
so my understanding was that F2B would already get the host info using
the regex in that file
and same co
On 03/12/2021 15:43, Steve Charmer wrote:
oh, ok, I think I understand a little more now.
I was using f2b-regex cmd in console to test it,
but without the host_info alias (as provided by the "before INCLUDE"),
it won't return any matches?
Is it because f2b-regex needs to return a host portion
On 08/12/2021 23:58, H wrote:
On December 8, 2021 4:53:02 PM EST, Richard Shaw wrote:
On Wed, Dec 8, 2021 at 3:42 PM H wrote:
I am running CentOS 7 and the version of fail2ban available is
0.11.1, not
sure what the latest version is. It seems that this version does not
understand range
On 10/12/2021 03:23, Patrick Shanahan wrote:
* Mike [12-09-21 19:56]:
Thank you, I updated to 0.11.2-3 and will see if subnet bans stick.
That may be a function of the type of IPSET list created. I know that with
ipset you can blacklist subnets but if it isn't a certain list:hash type
On 10/12/2021 16:18, Patrick Shanahan wrote:
* fail2ban [12-10-21 03:56]:
On 10/12/2021 03:23, Patrick Shanahan wrote:
* Mike [12-09-21 19:56]:
Thank you, I updated to 0.11.2-3 and will see if subnet bans stick.
That may be a function of the type of IPSET list created. I know th
On 14/03/2022 07:36, Shamim Shahriar wrote:
Hello
I am using fail2ban on production servers running Alma Linux 8. Our
network security scanner is constantly flagging that system complaining
about outdated/vulnerable python on them. However, if I try to remove
that python (with a view to ins
On 04/11/2022 12:40, Richard Shaw wrote:
In the Fedora package everything in /etc is marked %config(noreplace),
meaning it's marked as a configuration file and should not be replaced
on upgrade in order to preserve changes made by end users.
I know best practice is to use .local files to ma
Top posting as the thread is a mess.
Is this really correct? You can telnet into lots of open ports e.g 80
and 25. Even SSL ports like 443 and 587, not that you can do much once
you're in.
On 05/12/2022 18:32, solarflow99 wrote:
thats right, who needs that anyway. I'm so glad to get your ans
On 25/01/2023 11:05, Robby Pedrica wrote:
Hi all,
I'd appreciate some help with a regex on dovecot that I can't seem to
get right. Config is ...
patform: slackware 15 64bit
fail2ban: v0.9.4
dovecot.conf:
[INCLUDES]
before = common.conf
[Definition]
_daemon = (auth|dovecot(-auth)?|auth-wo
ical.
Nick
On 26/01/2023 07:52, Robby Pedrica wrote:
Yip that's gone and done it! Thank you Nick.
The question is why? All the other regex's should be good too ...
Anyway, no looking gift horses in the mouth. Who are we to question? : )
Thanks once again,
Regards, Robby
On Wed,
Surely jail.conf should be left in place as it it supplies some
defaults, especially if you are using a distro packaged version? I don't
think any jails are enabled by default but it may depend on the distro.
Then use jail.local or files in jail.d/ to enable particular filters.
Nick
On 09/02/
Ubuntu 20.04.
>
> I only got this working by setting jails as enabled in the
jail.local
> file. The individual files in jail.d directory don't work.
>
> Em qui., 9 de fev. de 2023 às 14:44, Nick Howitt via Fail2ban-users
> <mailto:fail2ban-
Is
this right?
Em qui., 9 de fev. de 2023 às 15:59, Nick Howitt via Fail2ban-users
escreveu:
There is some misinformation here. Jails can be enabled via
configlets in jail.d/ as well as overrides in jail.local.
Anyway, what is your full jail config in jail.local? All you need is:
server. I am using Ubuntu 20.04.
>
> I only got this working by setting jails as enabled in the
jail.local
> file. The individual files in jail.d directory don't work.
>
> Em qui., 9 de fev. de 2023 às 14:44, Nick Howitt via
Fail2ba
Use an "ignoreregex = 127\.0\.0\.1" line. Or just set an ignoreip of
127.0.0.1.
On 22/03/2023 19:22, James Moe via Fail2ban-users wrote:
We scan our mail logs for the use of "auth LOGIN". No legit user uses LOGIN; it
is always a dictionary attack.
We also have a SPAM proxy (ASSP) that filters
On 2023-05-03 10:02, Ben Coleman wrote:
I just ran into a situation where I found my incoming groups.io emails
getting blocked - the server would refuse connections from the
groups.io email server. It turned out to be a combination of
different blocking mechanisms, the Postfix RBL blocker, an
On 2023-06-22 12:58, André Rodier via Fail2ban-users wrote:
Hello, all.
I just set-up a new server, running postfix, with submission(s)
activated on standard ports (587, 465)
Shortly after it has been setup, I see brute force attacks (not
surprising) from a whole /24 network (more surprising)
If you have a large amount of blocks, and this sounds like it, use
ipset-based jails as they are way more efficient. If you want to ban
subnets each time you get a block it is possible to create an action to
ban a /24 subnet each time with a very slight modification to the
default action (which
On 25/06/2023 20:35, Tim Boneko via Fail2ban-users wrote:
Am Donnerstag, dem 22.06.2023 um 16:27 +0100 schrieb Nick Howitt via
Fail2ban-users:
Don't allow authentication on 25!
I second that. Port 25 is without encryption, so i don't offer auth
there - only on 587.
Apart from th
Why not just enable the nginx-http-auth config in jail.conf (using a
jail.local, preferably)?
On 05/03/2024 09:57, Jason Long via Fail2ban-users wrote:
Hello,
GitLab uses Nginx and PostgreSQL internally. I want to protect Nginx with
Fail2Ban. The GitLab log directory contains the following fil
Surely you need a variable in that for f2b to work. Something like:
NON-SMTP COMMAND from.\[\]:\d+ after CONNECT:.GET./.HTTP/1.1
Normally you'd also expect some sort of timestamp in the logs.
On 20/05/2024 12:37, Maurizio Caloro via Fail2ban-users wrote:
Thanks for your answer
Please, after
rry i have not yet understood which editor i can use for sim, or
is fail2ban a separate unic regex Interpreter?
Thanks for update
*Von:*Nick Howitt via Fail2ban-users
*Gesendet:* Montag, 20. Mai 2024 13:53
*An:* fail2ban-users@lists.sourceforge.net
*Betreff:* Re: [Fail
On 01/06/2024 00:59, Alex wrote:
Hi,
> Ideally, I'd like to not have to modify that regexp and be able to
> add my own, much like what appears to be happening with mdre-errors.
You don't have to. Append your own rules in a new line and test your
changed rule file with
On 01/06/2024 09:29, Nick Howitt wrote:
On 01/06/2024 00:59, Alex wrote:
Hi,
> Ideally, I'd like to not have to modify that regexp and be able to
> add my own, much like what appears to be happening
with mdre-errors.
You don't have to. Append your own rules in a new line an
On 16/06/2024 08:23, Nick Howitt via Fail2ban-users wrote:
On 01/06/2024 09:29, Nick Howitt wrote:
On 01/06/2024 00:59, Alex wrote:
Hi,
> Ideally, I'd like to not have to modify that regexp and be able to
> add my own, much like what appears to be happening
with
On 16/06/2024 09:33, Nick Howitt via Fail2ban-users wrote:
On 16/06/2024 08:23, Nick Howitt via Fail2ban-users wrote:
On 01/06/2024 09:29, Nick Howitt wrote:
On 01/06/2024 00:59, Alex wrote:
Hi,
> Ideally, I'd like to not have to modify that regexp and be
able to
On 17/06/2024 01:46, Alex wrote:
Hi,
> BTW, I can't crack it for the moment.
OK so this isn't going to be quite so neat. You need to add a line:
^RCPT from [^[]*\[\]%(_port)s:? 550 5\.5\.1 Protocol error;
to the mdre-normal section. Generally the recommended way is to
Have a look at how it is set up in the filters by default. Both Centos
and Debian installations use:
journalmatch = _SYSTEMD_UNIT=postfix.service
On 03/02/2025 21:50, John Hill wrote:
example I use
journalmatch='_SYSTEMD_UNIT=postfix@-.service'
On 2/3/25 11:55 AM, Marco Moock wrote:
He
32 matches
Mail list logo