• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Resolved How protect against invalid requests?

>> if you didn't like my EXAMPLES ...

What makes you think that? o_O

It's not that I don't like your examples. In the contrary ... I'm trying to learn from them. I was just asking you a question and I'm not here to criticize you.

You say: if maxretry is 3, someone can enter 3 invalid passwords and will be blocked when he tries for the 4th time (4th entry in the log). I was thinking that with 3 invalid passwords in the log he will be banned, becuase the manual says "sets the number of failures <RETRY> before banning the host for <JAIL>". So, please tell me if I'm wrong.
 
Hi Pleskie,
Pleskie said:
"sets the number of failures <RETRY> before banning the host for <JAIL>".
Click to expand...
Documentations, examples, ... have often space to interpretations and mine is, that the documentation states clear, that after 1.+2.+3., the next retry is triggering the ban, because otherwise the documentation should state, that the 3. retry equals the trigger.
 
Hi UFHH01,

>> Documentations, examples, ... have often space to interpretations and mine is ...

No problem ... but your interpretation is incorrect. ;)
Maxretry 3 means that after 3 invalid attemps (in the log file) the IP address is banned. So yes, the 3rd time indeed triggers the ban, not the 4th retry.
 
Guys,

Just have a look into the Fail2Ban source code and see how the scripts are designed to work, that will clarify everything.

In addition, have a look at known Fail2Ban bugs, since source code apparently does not always behave as intended.

Again, I must emphasize that the discussion is not worth it.

Regards
 
@trialotto

>> Again, I must emphasize that the discussion is not worth it.

The discussion about who's wrong or right is not worth it. I totally agree. But it IS good to know how this program works. Also for other members. There is a difference between getting banned after 3 times or on the 4th time. To be clear: maxretry 3 means getting banned after 3 times.

Still I'm wondering if anyone can (or not) answer my previous question. Is it possible to use a longer findtime and having maxretry and findtime reset after an IP address gets unbanned?
 
UFHH01 said:
Hi Pleskie,

you don't have to do something here ( regarding to your error - message ):



The possible spam-bot tried to use a relay action, which was denied and the whole procedure was of course logged.



You are still able to use an additional jail, as for example "/etc/fail2ban/filter.d/YOUR_NAME_FOR_SPAM-BOTS.conf":
Code: 
[INCLUDES]

before = common.conf

[Definition]

_daemon = postfix/(submission/)?smtp(d|s)

failregex = reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1
            reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1
            reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1
            reject: RCPT from (.*)\[<HOST>\]: 454 4.7.1
         
ignoreregex =

and add this additional jail in your "/etc/fail2ban/jail.local"- file, as for example at the end:
Code: 
[YOUR_NAME_FOR_SPAM-BOTS]

enabled = true
action = iptables-multiport[name="YOUR_NAME_FOR_SPAM-BOTS", port="smtp,465,submission,imap3,imaps,pop3,pop3s"]

filter = YOUR_NAME_FOR_SPAM-BOTS
logpath = /var/log/maillog
findtime = 43200
bantime = 86400
maxretry = 5

... and afterwards, you restart Fail2Ban, so that your new jail is now used to ban spam-bots.

Returning spam-bots - IPs will be banned again by the "recidive" - jail. :p



I know it's all new to you, Pleskie, but pls. consider to actually READ the recommendations, so that you may learn how to use Fail2Ban effectively and with YOUR SPECIFIC MODIFICATIONS. Plesk provides only standard configurations, but YOU, as the server administrator, have to do the fine tuning! ;)
Click to expand...

@UFHH01 Thank you very much for this trick!

I think it is working correctly, but I have one small problem.

In the Jail I can see the IP of my server.

Deleted because I thought it was a problem but after some minutes it was there again.

What does this mean? Should I put my server's IP to whitelist or something is happening to my server and should I check it?

Thank you very much in advanced!
 
Hi Andrew_Pa,

Andrew_Pa said:
What does this mean? Should I put my server's IP to whitelist ...
Click to expand...

This is the FIRST thing you should do, BEFORE the first start of Fail2Ban ( as well as inspecting possible other additional settings, which might be usefull and unique in your "fail2ban.conf", "jail.conf" and ( optional ) "jail.local" . ;)
 
I added the IP in trusted list and we are waitiing now for the magic.

I thought that attackers can use my server IP for doing stuff, this is I asked!

Thank you so much for your quick reply @UFHH01 !
 
You must log in or register to reply here.

Similar threads

majdi draouil
Question How to Block Direct IP Access and Ensure All Traffic Routes Through Cloudflare
Replies
1
Views
597
Raul A.
R
brother4
Question Why isn't xmlrpc.php monitored by the WordPress jail in Fail2Ban?
Replies
8
Views
2K
Maarten
M
michaeljoseph01
Question How to block non-mail traffic to certain ip?
Replies
1
Views
1K
MarkM
MarkM
michaeljoseph01
Question Imunify360 or fail2ban PLEASE give me your input
Replies
6
Views
4K
The 8th
The 8th
C
Issue 502 Bad Gateway - after applying updates
Replies
2
Views
3K
CChris
C
Back
Top