• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Input fail2ban - Add Details (Login Name)

futureweb

futureweb

Regular Pleskian
Hey there,
often large Companies with lot's of Workstation are getting blocked because 1 Client in their Office is trying to log in with wrong Password (imap/pop/smtp) - then the whole Office of them is getting blocked and the search which PC/which User is causing the block.starts ...
It would help big times if one got a reference which Login Name / Username caused the block as additional Info next to the IP ...
Won't help on Brute Force Attacks where the Username changes ... but on this Scenario it would be a big Timesaver ...
Andreas Schnederle-Wagner

ps) if you like this Idea - please upvote my Feature Request: fail2ban - Add Details (Login Name)
 
This would be great, but I don't think it's actually possible with Fail2Ban. I've tried to modify jail actions so that the offending log file is sent with the action alert, but even that has proven to be very difficult. Fail2Ban is not "aware" of any username that caused the ban, it only "knows" about the line in a log file that matches a filter.
 
futureweb said:
Hey there,
often large Companies with lot's of Workstation are getting blocked because 1 Client in their Office is trying to log in with wrong Password (imap/pop/smtp)
Click to expand...
Just for my understanding, you are talking about larger companys/office, do they havent fixed IPs that you can whitelist in fail2ban? Maybe you can convince this large companys/office to do this...
 
Mark Muyskens said:
You could always grep the mail log to find which user caused it...
Click to expand...
Since normal Support Staff have no access to the Logs or SSH where they could execute a GREP ... this requires a Server Admin every time such a Ban occurs .... what you suggest is excactly what we want to avoid ...

Brujo said:
Just for my understanding, you are talking about larger companys/office, do they havent fixed IPs that you can whitelist in fail2ban? Maybe you can convince this large companys/office to do this...
Click to expand...
Some have static IPs, others not ... but even with Small Companies the Search for the Problem geht's time consuming .... since BYOD ... 10 PCs, 10 Smartphones, a few Tablets, ...
 
Why search for the device? Just whitelist the IP. The user with the affected device will open their mouth soon enough.
 
Unless we're talking about Dialup, I've yet to see a DHCP lease not last long enough to where you would be able to figure out an issue like this :p
 
It's not about the time how long the lease is - it's about double/tripple/quadruple work for Support Team ... IP unban/whitelist ... tell customer he should inform one when they found the problem so we can remove the whitelisting ... of course customer won't notice you as they forget ... a few days later they get a new dynamic IP ... which then again get's blocked because they haven't search/found the problem as everything worked with the whitelisting and so on and on and on ...
@Mark Muyskens I doubt you have much to do with end users ... right? o_O
 
Oh I deal with them daily, trust me. But when you have root access to all your boxes, it's not really an issue for me :)
 
Mark Muyskens said:
But when you have root access to all your boxes, it's not really an issue for me :)
Click to expand...
haha ... that's excactly what I try to avoid - cause I'm one of those who have root ... I want Support Staff to be able to handle such everyday issues by themself without the aid of a Server Admin ... so Server Admins can focus on the important things instead of grepping xxxxx Logs for Support ... ;)
 
How about a Plesk Extension that can grep logs? That's something I could actually imagine happening.
 
Mark Muyskens said:
How about a Plesk Extension that can grep logs? That's something I could actually imagine happening.
Click to expand...
Could maybe help (even I already know - some Supporters would stare on the Logs as if they are written in ancient egyptian ...) ... mhhh ... but I'm not sure if it's ok from a legal point of view with GDPR in place next month ... all not that easy here in the EU ... :mad:
Will check that way though! ;-)
 
Just a note that our Juggernaut Firewall extension solves a lot of this:

1. Admins can optionally enable reCaptcha unblock on the firewall block page so that real users can unban themselves by entering in a reCaptcha without calling you.
2. The login failure daemon supports ignoring rDNS entries so companies can signup for free DYNDNS (even if they have non-static IPs) and you can add them so they never get banned.
3. For servers that have a lot of domains you can even whitelist certain countries from getting banned by the login failure daemon.

Let me know if you have any questions.
 
You must log in or register to reply here.

Similar threads

T
Resolved SECURITY - attack surface : ports 7080 and 7081
2
Replies
30
Views
11K
2dareis2do
2
T
Question Plesk Fail2Ban Rule for Joomla
Replies
2
Views
1K
t.van.der.plas
T
Bitpalast
Input Please vote for a feature to solve this for good: Email login fails with "failed auth" despite correct password from some Android, iPhone, Outlook
Replies
2
Views
1K
Bitpalast
Bitpalast
O
Question How to fine-tune Fail2Ban? (filters, jails, settings, Nginx, blocklists, badips sync, IPv6)
Replies
12
Views
4K
IgorG
IgorG
E
How to Set up Your WordPress Website Security
Replies
0
Views
2K
Elvis Plesky
E
Back
Top