• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved How protect against invalid requests?

>> if you didn't like my EXAMPLES ...

What makes you think that? o_O

It's not that I don't like your examples. In the contrary ... I'm trying to learn from them. I was just asking you a question and I'm not here to criticize you.

You say: if maxretry is 3, someone can enter 3 invalid passwords and will be blocked when he tries for the 4th time (4th entry in the log). I was thinking that with 3 invalid passwords in the log he will be banned, becuase the manual says "sets the number of failures <RETRY> before banning the host for <JAIL>". So, please tell me if I'm wrong.
 
Hi Pleskie,
"sets the number of failures <RETRY> before banning the host for <JAIL>".
Documentations, examples, ... have often space to interpretations and mine is, that the documentation states clear, that after 1.+2.+3., the next retry is triggering the ban, because otherwise the documentation should state, that the 3. retry equals the trigger.
 
Hi UFHH01,

>> Documentations, examples, ... have often space to interpretations and mine is ...

No problem ... but your interpretation is incorrect. ;)
Maxretry 3 means that after 3 invalid attemps (in the log file) the IP address is banned. So yes, the 3rd time indeed triggers the ban, not the 4th retry.
 
Guys,

Just have a look into the Fail2Ban source code and see how the scripts are designed to work, that will clarify everything.

In addition, have a look at known Fail2Ban bugs, since source code apparently does not always behave as intended.

Again, I must emphasize that the discussion is not worth it.

Regards
 
@trialotto

>> Again, I must emphasize that the discussion is not worth it.

The discussion about who's wrong or right is not worth it. I totally agree. But it IS good to know how this program works. Also for other members. There is a difference between getting banned after 3 times or on the 4th time. To be clear: maxretry 3 means getting banned after 3 times.

Still I'm wondering if anyone can (or not) answer my previous question. Is it possible to use a longer findtime and having maxretry and findtime reset after an IP address gets unbanned?
 
Hi Pleskie,

you don't have to do something here ( regarding to your error - message ):



The possible spam-bot tried to use a relay action, which was denied and the whole procedure was of course logged.



You are still able to use an additional jail, as for example "/etc/fail2ban/filter.d/YOUR_NAME_FOR_SPAM-BOTS.conf":
Code:
[INCLUDES]

before = common.conf

[Definition]

_daemon = postfix/(submission/)?smtp(d|s)

failregex = reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1
            reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1
            reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1
            reject: RCPT from (.*)\[<HOST>\]: 454 4.7.1
         
ignoreregex =

and add this additional jail in your "/etc/fail2ban/jail.local"- file, as for example at the end:
Code:
[YOUR_NAME_FOR_SPAM-BOTS]

enabled = true
action = iptables-multiport[name="YOUR_NAME_FOR_SPAM-BOTS", port="smtp,465,submission,imap3,imaps,pop3,pop3s"]

filter = YOUR_NAME_FOR_SPAM-BOTS
logpath = /var/log/maillog
findtime = 43200
bantime = 86400
maxretry = 5

... and afterwards, you restart Fail2Ban, so that your new jail is now used to ban spam-bots.

Returning spam-bots - IPs will be banned again by the "recidive" - jail. :p



I know it's all new to you, Pleskie, but pls. consider to actually READ the recommendations, so that you may learn how to use Fail2Ban effectively and with YOUR SPECIFIC MODIFICATIONS. Plesk provides only standard configurations, but YOU, as the server administrator, have to do the fine tuning! ;)

@UFHH01 Thank you very much for this trick!

I think it is working correctly, but I have one small problem.

In the Jail I can see the IP of my server.

Deleted because I thought it was a problem but after some minutes it was there again.

What does this mean? Should I put my server's IP to whitelist or something is happening to my server and should I check it?

Thank you very much in advanced!
 
Hi Andrew_Pa,

What does this mean? Should I put my server's IP to whitelist ...

This is the FIRST thing you should do, BEFORE the first start of Fail2Ban ( as well as inspecting possible other additional settings, which might be usefull and unique in your "fail2ban.conf", "jail.conf" and ( optional ) "jail.local" . ;)
 
I added the IP in trusted list and we are waitiing now for the magic.

I thought that attackers can use my server IP for doing stuff, this is I asked!

Thank you so much for your quick reply @UFHH01 !
 
Back
Top