Facebook
Twitter
I want to make my recidive efficient in a way i could ban returning hackers which try to bruteforce postfix.
I observe that hackers have thousands of servers over the whole world so thinking of a way to ban most of them, so maybe i could use fail2ban + geoIP and ban half of the world (but i did not found any solution to implement banning that way in plesk), so such logic is not bad if you have clients that reside in 3-5 countries and you allow smtp auth to that countries and deny all other., but to the topic...
I was configuring recidive, postfix, dovecot jails and changed some fail2ban logrotate periods, but i could not find some info that is important to understand logic behind fail2ban, please let me to understand:
1. Recivide jail takes IP from fail2ban.log, so if i set recidive to block IP for 60 days
a: I would need to extend fail2ban.log, so log will not rotate for 60 days, right ?, as default log rotates each week and there will be 7 compressed logs. I have changed now to rotate monthly with 12 rotates.
b: So i assume that fail2ban check only first log, not the rotated gz logs, right ?
2. If i set recidive jail to block IP after 2 failures - It means: before recidive would block IP - that IP need to be banned two times in different jail/jails, is that right ?
3. Postfix jail - If i set postfix jail to block IP for 15 days, how that will influence recidive jail ?, does it really matter ?, is there need to setup such long time in other jails like postfix ?
4. Is there any limit of IP being banned in Plesk firewall ?, i know plesk uses IPTABLES module, but i could not find how many IP's could be banned, to not to overfill anything there.
5. There is on internet solution called repeat offender, but i am not sure it would not overlap with recidive jail ?
I observe that hackers have thousands of servers over the whole world so thinking of a way to ban most of them, so maybe i could use fail2ban + geoIP and ban half of the world (but i did not found any solution to implement banning that way in plesk), so such logic is not bad if you have clients that reside in 3-5 countries and you allow smtp auth to that countries and deny all other., but to the topic...
I was configuring recidive, postfix, dovecot jails and changed some fail2ban logrotate periods, but i could not find some info that is important to understand logic behind fail2ban, please let me to understand:
1. Recivide jail takes IP from fail2ban.log, so if i set recidive to block IP for 60 days
a: I would need to extend fail2ban.log, so log will not rotate for 60 days, right ?, as default log rotates each week and there will be 7 compressed logs. I have changed now to rotate monthly with 12 rotates.
b: So i assume that fail2ban check only first log, not the rotated gz logs, right ?
2. If i set recidive jail to block IP after 2 failures - It means: before recidive would block IP - that IP need to be banned two times in different jail/jails, is that right ?
3. Postfix jail - If i set postfix jail to block IP for 15 days, how that will influence recidive jail ?, does it really matter ?, is there need to setup such long time in other jails like postfix ?
4. Is there any limit of IP being banned in Plesk firewall ?, i know plesk uses IPTABLES module, but i could not find how many IP's could be banned, to not to overfill anything there.
5. There is on internet solution called repeat offender, but i am not sure it would not overlap with recidive jail ?
