Re: [Fail2ban-users] Extending fail2ban for distributed attacks

2021-10-08 Thread Nick Howitt via Fail2ban-users
On 08/10/2021 16:41, Robert Kudyba wrote: I've noticed that I have a number of slow distributed attacks happening on my server which evade fail2ban by using a pool of IP addresses. I've been looking at the sqlite db and it looks like the data field in the bips table can ha

Re: [Fail2ban-users] Multiple attempts on a single connection

2021-10-22 Thread Nick Howitt via Fail2ban-users
On 21/10/2021 21:53, Krzysztof Adamski wrote: On Thu, 2021-10-21 at 11:38 -0400, Krzysztof Adamski wrote: On Mon, 2021-10-18 at 10:20 -0700, James Moe via Fail2ban-users wrote: On 2021-10-18 07:39, Krzysztof Adamski wrote: Oct 17 16:33:34 mailserver dovecot: auth-worker(41189): conn unix:au

[Fail2ban-users] Is there a way to get a list of all bans with time remaining or expiry time in a single command?

2021-11-22 Thread Nick Howitt via Fail2ban-users
As I exclusively use ipset bans, until recently I've been able to get a list of all bans for all jails by using an ipset command, 'ipset list -o save | grep "add f2b"'. My report is now broken in 0.11.2 as all timeouts get loaded as 0 (perma-bans but they do get unbanned by an action-unban). Is

Re: [Fail2ban-users] Request help with failregex for EXIM4 MAINLOG Warning: line (please)

2021-12-02 Thread Nick Howitt via Fail2ban-users
You need to specify somewhere in your regex, but make sure it does not pick up your internal IP. Perhaps something like: .*\[\]:\d+ \[.*EXIMSPAMASSASSINEXCESSIVEFAIL2BAN On 02/12/2021 13:56, Steve Charmer wrote: Hello, I am running Fail2Ban Version 0.9.3 on Ubuntu 16.04.5 LTS (LOL) In EXIM, I

Re: [Fail2ban-users] Request help with failregex for EXIM4 MAINLOG Warning: line (please)

2021-12-03 Thread Nick Howitt via Fail2ban-users
On 02/12/2021 22:25, Steve Charmer wrote: Thanks for your reply Nick. However, I thought the  host_info was a shortcut created by F2B, in the file /etc/fail2ban/filter.d/exim-common.conf so my understanding was that F2B would already get the host info using the regex in that file and same co

Re: [Fail2ban-users] Request help with failregex for EXIM4 MAINLOG Warning: line (please)

2021-12-03 Thread Nick Howitt via Fail2ban-users
On 03/12/2021 15:43, Steve Charmer wrote: oh, ok, I think I understand a little more now. I was using f2b-regex cmd in console to test it, but without the host_info alias (as provided by the "before INCLUDE"), it won't return any matches? Is it because f2b-regex needs to return a host portion

Re: [Fail2ban-users] fail2ban 0.11.1

2021-12-09 Thread Nick Howitt via Fail2ban-users
On 08/12/2021 23:58, H wrote: On December 8, 2021 4:53:02 PM EST, Richard Shaw wrote: On Wed, Dec 8, 2021 at 3:42 PM H wrote: I am running CentOS 7 and the version of fail2ban available is 0.11.1, not sure what the latest version is. It seems that this version does not understand range

Re: [Fail2ban-users] fail2ban 0.11.1

2021-12-10 Thread Nick Howitt via Fail2ban-users
On 10/12/2021 03:23, Patrick Shanahan wrote: * Mike [12-09-21 19:56]: Thank you, I updated to 0.11.2-3 and will see if subnet bans stick. That may be a function of the type of IPSET list created. I know that with ipset you can blacklist subnets but if it isn't a certain list:hash type

Re: [Fail2ban-users] fail2ban 0.11.1

2021-12-10 Thread Nick Howitt via Fail2ban-users
On 10/12/2021 16:18, Patrick Shanahan wrote: * fail2ban [12-10-21 03:56]: On 10/12/2021 03:23, Patrick Shanahan wrote: * Mike [12-09-21 19:56]: Thank you, I updated to 0.11.2-3 and will see if subnet bans stick. That may be a function of the type of IPSET list created. I know th

Re: [Fail2ban-users] fail2ban and python version on EPEL8

2022-03-14 Thread Nick Howitt via Fail2ban-users
On 14/03/2022 07:36, Shamim Shahriar wrote: Hello I am using fail2ban on production servers running Alma Linux 8. Our network security scanner is constantly flagging that system complaining about outdated/vulnerable python on them. However, if I try to remove that python (with a view to ins

Re: [Fail2ban-users] Are filters intended to be modified by end users?

2022-11-04 Thread Nick Howitt via Fail2ban-users
On 04/11/2022 12:40, Richard Shaw wrote: In the Fedora package everything in /etc is marked %config(noreplace), meaning it's marked as a configuration file and should not be replaced on upgrade in order to preserve changes made by end users. I know best practice is to use .local files to ma

Re: [Fail2ban-users] banning telnet connections

2022-12-05 Thread Nick Howitt via Fail2ban-users
Top posting as the thread is a mess. Is this really correct? You can telnet into lots of open ports e.g 80 and 25. Even SSL ports like 443 and 587, not that you can do much once you're in. On 05/12/2022 18:32, solarflow99 wrote: thats right, who needs that anyway.  I'm so glad to get your ans

Re: [Fail2ban-users] Regex for dovecot not working

2023-01-25 Thread Nick Howitt via Fail2ban-users
On 25/01/2023 11:05, Robby Pedrica wrote: Hi all, I'd appreciate some help with a regex on dovecot that I can't seem to get right. Config is ... patform: slackware 15 64bit fail2ban: v0.9.4 dovecot.conf: [INCLUDES] before = common.conf [Definition] _daemon = (auth|dovecot(-auth)?|auth-wo

Re: [Fail2ban-users] Regex for dovecot not working

2023-01-26 Thread Nick Howitt via Fail2ban-users
ical. Nick On 26/01/2023 07:52, Robby Pedrica wrote: Yip that's gone and done it! Thank you Nick. The question is why? All the other regex's should be good too ... Anyway, no looking gift horses in the mouth. Who are we to question? : ) Thanks once again, Regards, Robby On Wed,

Re: [Fail2ban-users] Fail2Ban cannot start due to logs

2023-02-09 Thread Nick Howitt via Fail2ban-users
Surely jail.conf should be left in place as it it supplies some defaults, especially if you are using a distro packaged version? I don't think any jails are enabled by default but it may depend on the distro. Then use jail.local or files in jail.d/ to enable particular filters. Nick On 09/02/

Re: [Fail2ban-users] Fail2Ban cannot start due to logs

2023-02-09 Thread Nick Howitt via Fail2ban-users
Ubuntu 20.04. > > I only got this working by setting jails as enabled in the jail.local > file. The individual files in jail.d directory don't work. > > Em qui., 9 de fev. de 2023 às 14:44, Nick Howitt via Fail2ban-users > <mailto:fail2ban-

Re: [Fail2ban-users] Fail2Ban cannot start due to logs

2023-02-09 Thread Nick Howitt via Fail2ban-users
Is this right? Em qui., 9 de fev. de 2023 às 15:59, Nick Howitt via Fail2ban-users escreveu: There is some misinformation here. Jails can be enabled via configlets in jail.d/ as well as overrides in jail.local. Anyway, what is your full jail config in jail.local? All you need is:

Re: [Fail2ban-users] Fail2Ban cannot start due to logs

2023-02-09 Thread Nick Howitt via Fail2ban-users
server. I am using Ubuntu 20.04.     >     > I only got this working by setting jails as enabled in the     jail.local     > file. The individual files in jail.d directory don't work.     >     > Em qui., 9 de fev. de 2023 às 14:44, Nick Howitt via Fail2ba

Re: [Fail2ban-users] A regular expression for a NOT condition

2023-03-22 Thread Nick Howitt via Fail2ban-users
Use an "ignoreregex = 127\.0\.0\.1" line. Or just set an ignoreip of 127.0.0.1. On 22/03/2023 19:22, James Moe via Fail2ban-users wrote: We scan our mail logs for the use of "auth LOGIN". No legit user uses LOGIN; it is always a dictionary attack. We also have a SPAM proxy (ASSP) that filters

Re: [Fail2ban-users] Does fail2ban-client unban reset increments?

2023-05-03 Thread Nick Howitt via Fail2ban-users
On 2023-05-03 10:02, Ben Coleman wrote: I just ran into a situation where I found my incoming groups.io emails getting blocked - the server would refuse connections from the groups.io email server. It turned out to be a combination of different blocking mechanisms, the Postfix RBL blocker, an

Re: [Fail2ban-users] Postfix: running a script on authentication failure

2023-06-22 Thread Nick Howitt via Fail2ban-users
On 2023-06-22 12:58, André Rodier via Fail2ban-users wrote: Hello, all. I just set-up a new server, running postfix, with submission(s) activated on standard ports (587, 465) Shortly after it has been setup, I see brute force attacks (not surprising) from a whole /24 network (more surprising)

Re: [Fail2ban-users] Cleanup jails

2023-06-24 Thread Nick Howitt via Fail2ban-users
If you have a large amount of blocks, and this sounds like it, use ipset-based jails as they are way more efficient. If you want to ban subnets each time you get a block it is possible to create an action to ban a /24 subnet each time with a very slight modification to the default action (which

Re: [Fail2ban-users] Postfix: running a script on authentication failure

2023-06-25 Thread Nick Howitt via Fail2ban-users
On 25/06/2023 20:35, Tim Boneko via Fail2ban-users wrote: Am Donnerstag, dem 22.06.2023 um 16:27 +0100 schrieb Nick Howitt via Fail2ban-users: Don't allow authentication on 25! I second that. Port 25 is without encryption, so i don't offer auth there - only on 587. Apart from th

Re: [Fail2ban-users] Protection of customized services

2024-03-05 Thread Nick Howitt via Fail2ban-users
Why not just enable the nginx-http-auth config in jail.conf (using a jail.local, preferably)? On 05/03/2024 09:57, Jason Long via Fail2ban-users wrote: Hello, GitLab uses Nginx and PostgreSQL internally. I want to protect Nginx with Fail2Ban. The GitLab log directory contains the following fil

Re: [Fail2ban-users] Fail2ban V1.1.0 from Github - question Regex

2024-05-20 Thread Nick Howitt via Fail2ban-users
Surely you need a variable in that for f2b to work. Something like: NON-SMTP COMMAND from.\[\]:\d+ after CONNECT:.GET./.HTTP/1.1 Normally you'd also expect some sort of timestamp in the logs. On 20/05/2024 12:37, Maurizio Caloro via Fail2ban-users wrote: Thanks for your answer Please, after

Re: [Fail2ban-users] Fail2ban V1.1.0 from Github - question Regex

2024-05-20 Thread Nick Howitt via Fail2ban-users
rry i have not yet understood which editor i can use for sim, or is fail2ban a separate unic regex Interpreter? Thanks for update *Von:*Nick Howitt via Fail2ban-users *Gesendet:* Montag, 20. Mai 2024 13:53 *An:* fail2ban-users@lists.sourceforge.net *Betreff:* Re: [Fail

Re: [Fail2ban-users] Adding pattern to postfix filter

2024-06-01 Thread Nick Howitt via Fail2ban-users
On 01/06/2024 00:59, Alex wrote: Hi, > Ideally, I'd like to not have to modify that regexp and be able to > add my own, much like what appears to be happening with mdre-errors. You don't have to. Append your own rules in a new line and test your changed rule file with    

Re: [Fail2ban-users] Adding pattern to postfix filter

2024-06-16 Thread Nick Howitt via Fail2ban-users
On 01/06/2024 09:29, Nick Howitt wrote: On 01/06/2024 00:59, Alex wrote: Hi, > Ideally, I'd like to not have to modify that regexp and be able to > add my own, much like what appears to be happening with mdre-errors. You don't have to. Append your own rules in a new line an

Re: [Fail2ban-users] Adding pattern to postfix filter

2024-06-16 Thread Nick Howitt via Fail2ban-users
On 16/06/2024 08:23, Nick Howitt via Fail2ban-users wrote: On 01/06/2024 09:29, Nick Howitt wrote: On 01/06/2024 00:59, Alex wrote: Hi, > Ideally, I'd like to not have to modify that regexp and be able to > add my own, much like what appears to be happening with 

Re: [Fail2ban-users] Adding pattern to postfix filter

2024-06-16 Thread Nick Howitt via Fail2ban-users
On 16/06/2024 09:33, Nick Howitt via Fail2ban-users wrote: On 16/06/2024 08:23, Nick Howitt via Fail2ban-users wrote: On 01/06/2024 09:29, Nick Howitt wrote: On 01/06/2024 00:59, Alex wrote: Hi, > Ideally, I'd like to not have to modify that regexp and be able to

Re: [Fail2ban-users] Adding pattern to postfix filter

2024-06-17 Thread Nick Howitt via Fail2ban-users
On 17/06/2024 01:46, Alex wrote: Hi, > BTW, I can't crack it for the moment. OK so this isn't going to be quite so neat. You need to add a line:     ^RCPT from [^[]*\[\]%(_port)s:? 550 5\.5\.1 Protocol error; to the mdre-normal section. Generally the recommended way is to

Re: [Fail2ban-users] journald jail config

2025-02-03 Thread Nick Howitt via Fail2ban-users
Have a look at how it is set up in the filters by default. Both Centos and Debian installations use: journalmatch = _SYSTEMD_UNIT=postfix.service On 03/02/2025 21:50, John Hill wrote: example I use journalmatch='_SYSTEMD_UNIT=postfix@-.service' On 2/3/25 11:55 AM, Marco Moock wrote: He