same ip addresses banned by fail2ban filling up my logs. What can i do about this?

3 posts / 0 new
Topic locked
Last post
#1 Mon, 05/27/2019 - 08:11
adamjedgar

same ip addresses banned by fail2ban filling up my logs. What can i do about this?

Hi guys, i have the exact same small list of ip addresses banned by fail2ban whilst trying to brute force postfix sasl.

185.137.111.44 already banned
2019-05-27 22:13:40,664 fail2ban.actions        [4281]: NOTICE  [postfix-sasl] 185.137.111.77 already banned
2019-05-27 22:14:13,701 fail2ban.actions        [4281]: NOTICE  [postfix-sasl] 185.137.111.77 already banned
2019-05-27 22:14:20,710 fail2ban.actions        [4281]: NOTICE  [postfix-sasl] 185.137.111.145 already banned
2019-05-27 22:14:26,717 fail2ban.actions        [4281]: NOTICE  [postfix-sasl] 45.13.36.22 already banned

Is there some kind of loop out script or something i can use that will simply con this fuckwit bot into thinking its going somewhere but not actually hitting my server...how can i have it tie itself up instead of filling my server fail2ban logs with shit hundreds of times per day?

Thu, 05/30/2019 - 08:09
scotwnw

If I started seeing many IPs from the same subnet, i'd ban the whole /24 subnet, or /16, which ever applies. Especially if its from CN or RU. In your example I'd ban 185.137.111.0/24 manually in the firewall. Just for curiosity since I dont use fail2ban, if the ip is already banned, how is it even getting back in to trigger another fail2an postfix action?

Thu, 05/30/2019 - 18:57
adamjedgar

Hi Scot, perhaps i need to change the level offail2ban log notification level to something higher than "NOTICE"? i have reset it to Error (the second highest level)

The trouble is, i wonder about the importance of knowing what is going on vs filling ones logs up with shit?

I actually tried to pass this off to my Vultr network firewall...ie block it at their level so it doesnt use any of my system resources. Whilst i dont fully understand their explaination, the gist of it was , our firewall algorythm doesnt work that way. In effect my understanding is, they are only providing a means of opening and closing ports or limiting access to those ports to specific ip addresses, and not banning ipaddresses or ipadress ranges it seems...consequently these requests are still coming through the vultr firewall and hitting my server (which is where they are obviously then being dealt with).

I read on a forum somewhere (i cant remember where unfortunately) that someone had created a script that essentially tricks the requesting bot into thinking my system is doing something with their request, when in fact its just going into thin air...some kind of loop out. I dont understand the programming side of such things or whether this actually even works...but i did read about it (perhaps it was on stackexchange forums somewhere?)

AJECreative is the home of $5 webhosting, $15/month VPS servers (1cpu,1gb RAM, 25GB storage)
Centos7, Debian9, or Ubuntu18LTS
Available Control Panels = Centos-Webpanel, Cyberpanel, or Virtualmin

https://ajecreative.com.au

Topic locked