Resolved How protect against invalid requests?

[Pleskie]

Hi guys,

When looking at my access_log I notice very much invalid requests, for example:

104.148.44.242 - - [09/Jun/2016:19:13:58 +0200] "CONNECT www.baidu.com:443 HTTP/1.1" 405 235 "-" "-"

or

208.115.113.91 - - [10/Jun/2016:01:36:04 +0200] "GET /index.php/Digital_Radio_Mondiale HTTP/1.1" 404 230 "-" "Mozilla/5.0 (compatible; DotBot/1.1; http://www.opensiteexplorer.org/dotbot, [email protected])"

Since the first IP address executes many of these strange requests, I decided (on advice of another member on this forum) to create a special firewall rule for bad IP addresses and added this IP address.

Now I wonder ... is there another way to protect my server against these invalid requests? Fail2Ban doesn't seem to notice them, so I can't ban them by using Fail2Ban. Should I even bother about these invalid requests? Or should I just accept that it happens?

What annoys me is that these requests 'pollute' my access_log. Is that something I should worry about, or is it just 'part of the game' and something I should learn to accept?

Any thoughts?

PS Like I said I will block some IP addresses by manually adding them to the Plesk firewall. I wonder though how many IP addresses I can add, before it causes a performance penalty. Will my server noticeably slow down when I add 10 IP addresses, or 100, or 1000 ???

 

[UFHH01]

Hi Pleskie,

pls. have a closer look at the Fail2Ban recidive jail and try to have a look at the Plesk documentation:

Fail2Ban Jails Management ( Plesk online documentation for Plesk 12.5 )

...

• recidive, for hosts repeatedly banned by Fail2Ban

...

...

• recidive looks for other jails' bans in Fail2Ban's own log. It blocks hosts that have received a ban from other jails five times in the last 10 minutes. The ban lasts a week and applies to all services on the server.

...

You can certainly modify the standard settings, so that recuring banned IPs will be banned for a month, for example - it's all your choice, how you configure the jail!
​

There is no need to manual add such IPs to your firewall configuration... it is veeeeeery time-investing and you will loose your nervs by inspecting your log - files each day.

Will my server noticeably slow down when I add 10 IP addresses, or 100, or 1000 ???

No.


Pls. consider as well to learn more about Fail2Ban and its jails - you will be suprised about possible configurations and additional jails. If you don't find enough information at the Plesk documents, consider to read the manual ( http://www.fail2ban.org/wiki/index.php/MANUAL_0_8 ) !

 

[Pleskie]

Thanks UFHH01

Manually adding IP addresses was a tip of another member. I do agree it's very time consuming. I already installed and configured Fail2Ban. Problem is that it doesn't detect all of the spam messages. For example ... the plesk-panel jail works just great! When someone tries to break in with password 'admin' he will get banned after a couple of times. And if he keeps trying he will end up in the recidive jail. So no problems here. But ... I have also plesk-postfix enabled, but for some reason the attacks in the maillog do not get noticed by Fail2Ban at all.

This for example doesn't trigger Fail2Ban. I don't know why :-(
My maillog contains a lot of these lines.

Jun 15 13:43:37 xxxxx postfix/smtpd[22666]: connect from 36-225-45-219.dynamic-ip.hinet.net[36.225.45.219]
Jun 15 13:43:38 xxxxx postfix/smtpd[22666]: NOQUEUE: reject: RCPT from 36-225-45-219.dynamic-ip.hinet.net[36.225.45.219]: 454 4.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<YYYYY>
Jun 15 13:43:38 xxxxx postfix/smtpd[22666]: lost connection after RCPT from 36-225-45-219.dynamic-ip.hinet.net[36.225.45.219]
Jun 15 13:43:38 xxxxx postfix/smtpd[22666]: disconnect from 36-225-45-219.dynamic-ip.hinet.net[36.225.45.219]

The part where it says "helo=<YYYYY>" the YYYYY is a substitute for my server IP address. Are they trying to use my server to send spam? And how do I block these attacks? Many of these lines contain the mail address "[email protected]" so I think it's the same source. What can I do about it?

 

[UFHH01]

Hi Pleskie,

you don't have to do something here ( regarding to your error - message ):

Jun 15 13:43:37 xxxxx postfix/smtpd[22666]: connect from 36-225-45-219.dynamic-ip.hinet.net[36.225.45.219]
Jun 15 13:43:38 xxxxx postfix/smtpd[22666]: NOQUEUE: reject: RCPT from 36-225-45-219.dynamic-ip.hinet.net[36.225.45.219]: 454 4.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<YYYYY>
Jun 15 13:43:38 xxxxx postfix/smtpd[22666]: lost connection after RCPT from 36-225-45-219.dynamic-ip.hinet.net[36.225.45.219]
Jun 15 13:43:38 xxxxx postfix/smtpd[22666]: disconnect from 36-225-45-219.dynamic-ip.hinet.net[36.225.45.219]

The possible spam-bot tried to use a relay action, which was denied and the whole procedure was of course logged.



You are still able to use an additional jail, as for example "/etc/fail2ban/filter.d/YOUR_NAME_FOR_SPAM-BOTS.conf":

[INCLUDES]

before = common.conf

[Definition]

_daemon = postfix/(submission/)?smtp(d|s)

failregex = reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1
            reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1
            reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1
            reject: RCPT from (.*)\[<HOST>\]: 454 4.7.1
          
ignoreregex =

and add this additional jail in your "/etc/fail2ban/jail.local"- file, as for example at the end:

[YOUR_NAME_FOR_SPAM-BOTS]

enabled = true
action = iptables-multiport[name="YOUR_NAME_FOR_SPAM-BOTS", port="smtp,465,submission,imap3,imaps,pop3,pop3s"]

filter = YOUR_NAME_FOR_SPAM-BOTS
logpath = /var/log/maillog
findtime = 43200
bantime = 86400
maxretry = 5

... and afterwards, you restart Fail2Ban, so that your new jail is now used to ban spam-bots.

Returning spam-bots - IPs will be banned again by the "recidive" - jail.



I know it's all new to you, Pleskie, but pls. consider to actually READ the recommendations, so that you may learn how to use Fail2Ban effectively and with YOUR SPECIFIC MODIFICATIONS. Plesk provides only standard configurations, but YOU, as the server administrator, have to do the fine tuning!

 

[trialotto]

@Pleskie and @Everyone (and @UFHH01)

The answer posted by @UFHH01 is fine by itself, but as @UFHH01 indicated, specific modifications are required.

Anyone wanting to implement the settings from @UFHH01, please note the following:

a) first have a look at your maillog, before simply copying the "failregex" expressions: on every server, there is different output in the logs.

In general, these attacks seem to have started somewhere around 5th of june (2016), with no particular pattern in IPs (except that most of the IPs are Asean based).

One can therefore not rely on persistent log output: as the IPs differ and change, the output in the logs will change and, therefore, the "failregex" has to be changed accordingly.

b) some of the settings given by UFFH01 are not recommended:

- a bantime of 86400 equals 24 hours of banning: this is not enough in this case, choose at least a value of 604800 (or more), reducing the workload on Fail2Ban and your system
- a findtime of 43200 equals 12 hours of scanning: reduce this to 1800 or 3600, in order to allow Fail2Ban to actually ban some IPs every now and then
- a maxretry setting of 1 or 2 (for this specific "spambot" jail) is always better than 5 retries: these IPs should not even be allowed to retry (!)

and note that the above settings are adjusted to this particular type of attack: the attempts are using intervals of approximately 15 mins.

c) Fail2Ban is smart, not intelligent: every jail works alongside other jails, so it can occur that multiple jails are triggered by a certain action from an IP.

In the case that multiple filters, belonging to before mentioned multiple jails, are triggered, it can be even the case that Fail2Ban does "double work" or even leaves IPs "undetected".

The latter is a very rough representation of what actually happens in the Fail2Ban methodology, but the message is clear: keep Fail2Ban clear and efficient.

For instance, only changing the default findtime (via Plesk Panel) and/or the maxretry and bantime settings can increase performance, even without additional (custom) jails.


Hope the above illustrates and helps a little bit.

Regards.....

 

[UFHH01]

- a bantime of 86400 equals 24 hours of banning: this is not enough in this case, choose at least a value of 604800 (or more), reducing the workload on Fail2Ban and your system

sorry... but this is a rather thoughtless remark. For longer bans, we have the "recidive jail", which definetly should have ban-times longer than a month. There is absolutely no need to have longer bans than 24 hours for the other jails, especially not, when you think about dynamic IPs, which change every 24 hours. ( and no... I won't discuss that, because it's simply logical! ).


The "findtime" for 12 hours is an extra long setting for spam - bots, which come back on a regular basis ( mostly twice a day ) with thousands of different IPs ( often enough dynamic ones! ).

- a maxretry setting of 1 or 2 (for this specific "spambot" jail) is always better than 5 retries: these IPs should not even be allowed to retry (!)

Well sorry... but this is again a bit thoughtless.

For example:

550, "5.1.1" => The email account that you tried to reach does not exist. Please try double-checking the recipient's email address for typos or unnecessary spaces.

We don't want to punish customers for possible typos ( manual inserted passwords over webmail for example, are often enough affected, because you only see "." instead of your password. ) Setting the retry to a lower amount than 3, can and will result in an enormous amount of complaints from your cumstomers. 5 is a good amount, because people know these days from mobile phones, credit/bank cards, other password protected areas/systems, that inserting a false password more than 3 times, often results in a ban/blockade, so the choosen amount of 5 is even a bit nicer than the worldwide used allowed misentry of 3.

450, "4.7.1" => Client host rejected / Host not found.

Hostname lookups "can" sometimes result in false or no reply. We don't want to punish customers with a "too low retry setting", only because an IP could not been resolved to a FQDN. The customers could use a slow WLAN - Hotspot, or a low-bandwidth connection could be the reason, why the lookup wasn't successfull. Your cumstomers fully understand a ban/blockade after 5 attemps, but they won't understand a ban/blockade after 1 or 2 attempts!

554, "5.7.1" => Can be various reasons:

The most common 554 5.7.1 messages
554 5.7.1 : Client host rejected: Access denied
554 5.7.1 : Service unavailable; Client host X.X.X.X blocked using zen.spamhaus.org
554 5.7.1 : Relay access denied
554 5.7.1 : Recipient address rejected: Access denied
554 5.7.1 : Message cannot be accepted, rules rejection
554 5.7.1 : Message refused by Dictionary check
554 5.7.1 : Relay Access Denied for One Domain
554 5.7.1 : Message cannot be accepted, spam rejection
554 5.7.1 : Message refused by DNSBL check
554 5.7.1 : Sender address rejected: Access denied

We don't want to punish customers for possible temporary bans during the spam and blacklist check , when they use dynamic IPs and your mail - server configuration is setup to use several DNSBL providers. WLan - Hotspots and dynamic IPs are used all over the world and we don't pass the buck to our customers, while we try to defend the mail - server against spam ... again, setting the retry to a lower amount than 3, can and will result in an enormous amount of complaints from your cumstomers. 5 is a good amount, because people know these days from mobile phones, credit/bank cards, other password protected areas/systems, that inserting a false password more than 3 times, often results in a ban/blockade, so the choosen amount of 5 is even a bit nicer than the worldwide used allowed misentry of 3.​

And last:

454, "4.7.1" => Relay access denied.

We don't want to punish customers for possible lost connections, while using a possible relay option on your server. EMail - clients like Outlook for eample often "stutter", while communicating with a mail - server, which can result in incomplete verifications and again, setting the retry to a lower amount than 3, can and will result in an enormous amount of complaints from your cumstomers. 5 is a good amount, because people know these days from mobile phones, credit/bank cards, other password protected areas/systems, that inserting a false password more than 3 times, often results in a ban/blockade, so the choosen amount of 5 is even a bit nicer than the worldwide used allowed misentry of 3.

 

[Pleskie]

Thank you both! Interesting to see how 2 people can have such different opinions

One thing I didn't see mentioned about a bantime of 24 hours ... Personally I don't think that's a good idea because the recidive jail looks for recidive in a period of 24 hours. When we set a ban time to 24 hours, that IP address will never end up in the recidive jail.

Thanks for the nice explanation UFHH01 about how to set up an extra jail. I will certainly try that. Last question, do you know if there also exists a similar jail for invalid (non-existing) requests to for example 'admin' sections, wordpress, phpmyadmin and so on?

 

[Lloyd_mcse]

Have a look at the fail2ban project on GitHub, which has lots of "default" filters that get shipped with the standard package.
You can download it to your desktop, browse to C:\<your_git_dir>\fail2ban\config\filter.d and have a look

apache-nohome, apache-noscript, apache-fakegooglebot

And lots more already done for you. Most are already included with Plesk.

Anyway, I just thought I'd mention it.
Kind regards

Lloyd

 

[UFHH01]

Hi Pleskie,

PHPmyAdmin for example is already secured with the "plesk-panel" - jail ( if you don't change the standard configuration ). No need for an additional jail or modification here. If you would like additional "failregex" - filters, for what ever reason, just add them to fit your desires, according to your server and its logs.

Wordpress login - attempts are secured with the standard Plesk - jail "plesk-wordpress" - and again: If you would like additional "failregex" - filters, for what ever reason, just add them to fit your desires, according to your server and its logs.


Even that Lloyd_mcse already mentioned the Fail2Ban - Github link, you should have noticed that link, when reading: http://www.fail2ban.org/wiki/index.php/Main_Page ( you will as well be redirected to that URL, when you use the Base - URL : http://www.fail2ban.org )

 

[Pleskie]

Thanks both. Do my best to get a hold of it UFHH01 ;-)

I seem to be missing something ... I read that the max_retry counter is reset when the findtime expires. But is findtime also reset when an IP address gets banned?

An example:

Findtime = 30 minutes
Bantime = 10 minutes
Max-retry = 3

A hacker performs 3 hack-attempts in 5 minutes. He gets blocked for 10 minutes. So after 5 minutes he gets banned and after 15 minutes he is unbanned again. Findtime is 30 minutes, so there are 15 minutes left. What happens when the hacker tries to hack again in these 15 minutes? Does he get 3 new attempts? Or will he be banned on the first attempt?

 

[UFHH01]

Or will he be banned on the first attempt?

Actually, it's not his first attempt, because the 30 minutes find-time is not over yet. It's his 4th attempt and Fail2Ban will recognize that, as if it had been his 3rd attempt ( pls. have a closer look at your fail2ban - log. - increase the log - level for a more verbose output, so you can understand the Fail2Ban actions more easily ).

Quoted from jail.conf:

...
# 1. Make sure that your loglevel specified in fail2ban.conf/.local
#    is not at DEBUG level -- which might then cause fail2ban to fall into
#    an infinite loop constantly feeding itself with non-informative lines
...

Example quote from fail2ban.conf:

...
[Definition]

# Option: loglevel
# Notes.: Set the log level output.
#         CRITICAL
#         ERROR
#         WARNING
#         NOTICE
#         INFO
#         DEBUG
# Values: [ LEVEL ]  Default: ERROR
#
loglevel = INFO
...

 

[Pleskie]

I understand ... this makes it actually quite difficult then to take proper action. You want a long findtime (a few hours) to block bots who try to hack for example once per hour. But then again ... when a valid user mistypes his password, after unbanning you want to give him 3 new attempts. However if he mistypes his password again the first time, he will get blocked immediately because the findtime has not yet expired.

The only way to solve this (I think) is to make the bantime longer than or equal to the findtime, which means that if you set findtime to 90 minutes, bantime should be 90 minutes as well. Or am i missing something?

 

[UFHH01]

Hi Pleskie,

as you already saw, I set up the bantime to half of the findtime, because I believe, that a human being is more carefully, than a script. It's a viewpoint, a knowledge of your server components + configurations and it's possible limits, paired with spammer-scripts - experience and longterm observations and common sense, which let's you decide how you setup your configuration(s) - there is no valid-for-all-possibilities solution.

 

[Pleskie]

Hi UFHH01

Yes I see, but I'm not getting it

If I by mistake make 5 mistakes I will be banned for 24 hours? Wow ... that's long. Customers will go mad if they can't use their mail for a day.
Besides that ... a ban of 24 hours will mean this IP address will never end up in recidive jail, because recidive jail has a find time of 1 day.

 

[trialotto]

@UFHH01

In this post you seem to want to go into detail.

Let´s do that, shall we?

First of all, in the before mentioned post, you created a section "For example" and continue to explain why specific codes are associated with specific cases.

In the explanation, you suggest that some of the cases should not automatically lead to rejection or banning.

You are right, for sure.

Since I did not want to start a discussion, I did not mention at first that your failregex is too strict, in the sense that specific codes should not be incorporated in failregex.

I simply do not want to bash an excellent hint for creating an additional jail that can partially (!) resolve these type of "attacks" (what is in a word?).

In essence, one can prevent false negatives (IPs are banned but shouldn´t be) by removing specific codes from the failregex (and not include them, as you proposed).

Second, the following

The "findtime" for 12 hours is an extra long setting for spam - bots, which come back on a regular basis ( mostly twice a day ) with thousands of different IPs ( often enough dynamic ones! ).

is, well, a bit thoughtless, a term that you yourself use.

Fail2Ban is not only using the findtime setting as the interval in which to count the number of attempts that match a filter.

In fact, Fail2Ban is also using the findtime as the interval after which ban actions are being executed.

For instance, a findtime of 10 minutes implies that IPs, matching a filter, are banned after the ten minutes have expired.

In short, having a 12 hour findtime will allow a time window of 12 hours for hack attempts.

That is really not recommended.

Third, the following

sorry... but this is a rather thoughtless remark. For longer bans, we have the "recidive jail", which definetly should have ban-times longer than a month. There is absolutely no need to have longer bans than 24 hours for the other jails, especially not, when you think about dynamic IPs, which change every 24 hours. ( and no... I won't discuss that, because it's simply logical! ).

is not correct, let´s call it thoughtless again.

In fact, the recidive jail does not work properly.

In the case of the current type of "attacks", Fail2Ban should ban them with the recidive jail, but does not.

This is the result of the other jails banning and unbanning specific bad IPs, due to the settings of maxretry, bantime and findtime.

A long story short, the recidive jail should block all current type of "attacks" but actually does not.

Have a look at the fail2ban log and investigate all mail related log entries and you will see what I am trying to say.

All of the above is closely related to my remark that all Fail2Ban jails are interrelated and that one should take care that they are aligned properly, to allow Fail2Ban to work efficiently.

Fourth, with respect to the last quote, I must emphasize the facts that

- it is not about dynamic IPs, most of the bad IPs in the current type of attacks are related to static IPs,
- the bad IPs do not change, there are lot of identical bad IPs across various (attacked) servers,
- the attacks are very likely to be associated with or caused by malware installed on "local PCs or Desktops", probably internet café´s (primarily in the Far East)

and you verify this by simply

a) leave the postfix or qmail jail disabled for a couple of hours, "grep" into the relevant logs to find the relevant IPs, "sort" all bad IPs in order to create an unique list: a pattern exists

b) ask "antivirus companies" for information or access the information provided by them, if you have access

Fifth, note that an unique list of bad IPs, associated with the current type of "attacks", does

1 - not show much variation with respect to IPs used by the "attackers" (read: no statistical significant variation, when compared to other types of attacks)
2 - show some problematic bad IPs (read: thousands of attempts per one unique bad IP)
3 - show a lot of bad IPs that are associated with 5 or less attempts (when having maxretry roughly at 3 to 4) or with 10 or less attempts (maxretry at Plesk default setting 5)

and, as such, evidence exists

- from point 3 that Fail2Ban does it´s job (properly) for most IPs
- from point 2 that Fail2Ban failregex for postfix (or qmail) jail is not properly configurated, some attempts "work around" the default Plesk filters for Fail2Ban
- from point 3 that Fail2Ban can improve it´s banning performance by fiddling with maxretry settings (lowering maxretry, even if the default findtime of 10 minutes is used)

and in addition, all of the above results significantly improve when

- using a different Fail2Ban failregex (not a custom, additional jail)
- using a longer findtime (with the improvements rapidly decreasing if the findtime becomes higher than 3600)

and these results are not simulated, but are a summary of what actually happens on a common, standard server.


Sixth, the final conclusion: everybody has to do what he or she wants.

This discussion is not worth it.

Regards.....

 

[trialotto]

@Lloyd_mcse,

This

Have a look at the fail2ban project on GitHub, which has lots of "default" filters that get shipped with the standard package.
You can download it to your desktop, browse to C:\<your_git_dir>\fail2ban\config\filter.d and have a look

apache-nohome, apache-noscript, apache-fakegooglebot

And lots more already done for you. Most are already included with Plesk.

Anyway, I just thought I'd mention it.
Kind regards

Lloyd

is an excellent tip, but Plesk users do have to be aware that some of the "proposed" Github filters, actions or jails (and even scripts) do not "play nicely" with Plesk´s default Fail2Ban.

It can do no harm to mention that, in the hope that Plesk users are prompted/tempted to test custom actions, filters and jails first.

Anyway, me like the post......hence the like.

Ciao!

 

[UFHH01]

Hi Pleskie,

I wonder why you ask questions about the Fail2Ban configuration, if you could inform yourself by READING the documentation, but o.k.....


First of all, pls be informed, that Fail2Ban - jails have it's very own JAIL ( = chain ) at iptables. Pls. use the command "iptables -L" on the command line, to list all defined chains and settings.

Second, pls. be informed, that Fail2Ban - jails are configured to search for defined rules ( matching failregex - expressions ) at locations ( = logs/logpaths ), which are setup at "jail.conf", "jail.local" and/or "jail.d/*.conf", with defined name, protocol(s), port(s), action(s), filter(s), findtime, bantime, maxretry settings and last: enable status ( true/false ).

If ( essential ) specific jail - settings are missing, global configuration settings from "jail.conf" will be used.​

Standard essential settings examples:

# "bantime" is the number of seconds that a host is banned.
bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

Standard JAIL examples:

[recidive]


enabled  = true
filter   = recidive
logpath  = /var/log/fail2ban.log
action   = iptables-allports[name=recidive]
bantime  = 604800  ; 1 week
findtime = 86400   ; 1 day
maxretry = 5

Now, let's assume, that a failregex - expression matches log - entries for the jail "plesk-postfix" at the defined jail - log - file "/var/log/maillog" for 5 times,

Standard Plesk example for Ubuntu - based systems:

[plesk-postfix]

enabled  = true
action   = iptables-multiport[name="plesk-postfix", port="smtp,smtps,submission"]
filter   = postfix-sasl
logpath  = /var/log/maillog
maxretry = 3

at the log - times 08:00 a.m., 08:01 a.m. + 08:02 a.m., then the defined action will be triggered for the 4th failregex - expression - match for the very same IP at 08:04 a.m.
The action "iptables-multiport[name="plesk-postfix", port="smtp,smtps,submission"]" is defined and therefore an iptables ban is set at the iptables chain "f2b-plesk-postfix" ( pls. see the action definitions at "etc/fail2ban/action.d/*.conf" ).
Due to the case, that NO jail-specific findtime and bandtime is set, the global definitions are used ( 600 seconds/600 seconds )
=> Ban input at "08:04 a.m.". Ban remove at "08:14 a.m."


Let's assume further, that the IP - user has another failregex - expression - match attempt at "08:15 a.m. + 08:16 a.m.", Fail2Ban will notice that ( writing the FOUND as well to the "fail2ban.log" ) and the "recidive" - jail - action will be triggered.
=> Ban input inside the chain "f2b-recidive" at "08:16 a.m.". Ban remove at "ONE WEEK LATER" ( 604800 seconds after "08:16 a.m." ).



EACH FOUND of a failregex - expression - match from the used jails is written to the "fail2ban.log", as well as the BAN/UNBAN actions, that's why the "recidive" - jail is one of the most effective jails for Fail2Ban, protecting your server against returning spammer/intruder/hacker... . Yes! It might be the case that "forgetful" customers, who for example continue using wrong passwords, even that they already suffered from bans, can cause a higher customer support time, but from my point of view and my personel longterm experience, these customers are rather rare and the server security and spam - protection for all customers on a server is worth the additional time investment for them. Last but not least, you could as well inform yourself about the "ignoreregex" - setting - possibilties in each jail configuration, which leaves space to ignore defined expressions, for stubborn customers, reluctant to follow the friendly support and its help, descriptions and solutions.


For further informations, pls., pls. pls. READ the already provided documentations/links.




@trialotto: You don't seem to understand the words "and no... I won't discuss that"... well.... sorry that you don't respect personal wishes.

 

[trialotto]

@UFHH01

Your quote

@trialotto: You don't seem to understand the words "and no... I won't discuss that"... well.... sorry that you don't respect personal wishes.

can be larger, do not hide personal opinions.

With respect to the content of your quote: as I stated, the discussion is not worth it.

However, it is not meaningful to give advice based upon alleged facts (that are not facts at all) and hints that will effectively not work.

The above applies to both you, me and everyone on the forum. Let´s be honest.

And, when we are honest, nice that you put essentially the Fail2Ban documentation in a nutshell on this forum, but it is a Plesk forum.

The biggest danger of a forum is that a good question is leading to a wrong answer or that a wrong question gets responded with a good answer.

In the current topic thread "How protect against invalid requests", the before mentioned danger has manifestated itself and has been leading to a discussion of Fail2Ban.

Even though the discussion of Fail2Ban takes all turns possible (which makes it hard to read for a noviche), it is excellent (at least for those having some knowledge about Fail2Ban).

Nevertheless, some things are impractical.

For instance, consider all Fail2Ban related examples on the internet that, when applied to Plesk´s Fail2Ban, will break the proper functioning of Fail2Ban.

I do not think that we should contribute to that.

Moreover, when returning to the actual question "how to protect .... ", one has to be surprised why nobody of the Plesk Experts or Guru´s did think of Nginx.

Nginx as a reverse proxy is THE tool to prevent attacks from IPs that are not firewalled yet.

I have mentioned a big failure in Fail2Ban design structure many times: Fail2Ban scans logs and will hence only act upon attempts, after traffic related to the attempts has been present and logged, into log files that are monitored by Fail2Ban.

Simply stated, Fail2Ban is too late AND Fail2Ban does not act, if relevant logs are not monitored.

Nginx is the first frontier, after the firewall.

In short, if malicious traffic passes the firewall (for instance, because bad IPs are not firewalled), one should take care that Nginx is the next barrier for malicious traffic.

If you ask me personally, if three Plesk Experts or Guru´s are stumbling over each others responses, nobody will have time to think about the alternatives.

Really, Nginx is a serious alternative.

And then we enter a second problem, being that the default Nginx shipped with Plesk is not prepared for this task: the appropriate modules are missing.

Nevertheless, it is always possible to work with Nginx, for example via Perl scripts or even Python scripts (yes, the scripts of Fail2Ban can also be run with some hefty coding).

But why are we talking about this?

Ah, yes, the original topic thread.

Let´s focus on that, shall we?

So: "How to protect against malicious traffic?"

Well, Fail2Ban is not an option, it will always allow traffic, that is the DESIGN: act AFTER traffic from specific IPs OCCURS and is LOGGED, with the log entry matching a filter.

If we are answering a question, it is not wise to give a solution for a question that essentially requires an answer to block malicious traffic from entering the server.

A real answer to the current question is: use the firewall (or Nginx).

An alternative question is: what if I want to block malicious traffic, after malicious traffic has occurred and has been logged?

Well, this alternative question can be answered by this entire topic thread.

So, let´s mark the current question and alternative question as resolved, since I still have to stress that the discussion is not worth it.

Regards....

 

[Pleskie]

Woohaaaa ... catfight!!

@UFHH01

>> ... at the log - times 08:00 a.m., 08:01 a.m. + 08:02 a.m., then the defined action will be triggered for the 4th failregex - expression ...

Are you sure about this? The manual (yes I read ) says "sets the number of failures <RETRY> before banning the host for <JAIL>". This would mean that if maxretry is 3 that the ban will not be triggered for the 4th failregex-expression (as you say), but immediately AFTER the 3rd failregex-expression. So three times wrong is a ban. Please correct me if I'm wrong.

Your previous explanation and the examples on github should help me out a lot, so I will certainly look into that.

There is one thing that still bothers me though. I would like a client to be able to make mistakes, for example when logging in to his e-mail.

What I would like is (for example) this.

- 3 invalid logins: banned for 30 minutes
- again 3 invalid logins on that same day: banned for another 30 minutes
- again 3 invalid logins on that same day: banned for a couple of weeks (recidive)

So a client tries to login 3 times. This goes wrong because he forgot his password. He has to wait 30 minutes. He tries again ... and again it goes wrong (you stupid client ) ... again he has to wait 30 minutes. Alright, last chance buddy ... if you screw up again, you will be banned for a couple of weeks (recidive). This seems like a fair policy.

There is however a problem. To be able to "catch" the bad-bots, I would need quite a long findtime since these evil bad-bots sometimes only do one attempt each 90 minutes. So findtime has to be for example 2 hours. Now here's the problem. Let's go back to the same scenario again of this silly client who forgot his password.

- 3 invalid logins: banned for 30 minutes
- 1 invalid login after that 30 minutes and the client will immediately get banned because the findtime is still active
- another invalid login after 30 minutes will get the client banned for several weeks (recidive)

So in the first example the client gets 3 times 3 login attempts (which I like). However in the 2nd example, because of the longer findtime, the client gets only 5 login attempts (3, 1, 1). I like the first example, but is there a way to combine this with a long findtime? So what I would actually like to see, is that maxretry and findtime get reset whenever someone gets banned. So when he gets unbanned, he will get 3 new attempts. But I assume that is not possible?

 

[UFHH01]

Hi Pleskie,

So three times wrong is a ban. Please correct me if I'm wrong.

Fail2Ban is a log - file PARSER, so actions are triggered, after the defined log - file has been parsed - if you didn't like my EXAMPLES, pls. consider to wait for other people, willing to take the time, trying to explain the unique procedures, I personally think, that they show in an accurate way, what happens.

So what I would actually like to see, is that maxretry and findtime get reset whenever someone gets banned.

Well, the combination of xxx-jail and recidive-jail doesn't work this way. If you found a way of configuration for your desire, pls. don't hesitate to post it to the forums, so that other users may profit.