Fail2ban reported attempts and options

Support for security such as Firewalls and securing linux
Post Reply
lightman47
Posts: 1521
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

Fail2ban reported attempts and options

Post by lightman47 » 2017/07/02 05:16:57

I am looking for thoughts here -

I currently run fail2ban on all my (heh - 5) machines, though only one currently has Internet services running. On this (those) machine(s) I've enabled emails to me when a ban occurs - with a whois report in each email. I believe I remember seeing, in the fail2ban .local files an option to have the program also send a report to the offending provider's ABUSE contact from that WHOIS.

Question:
Do you think doing this will help or, as I suspect, make me even more of a target, given that the bulk of my attempts are from CN & RU with a handful of others thrown in?

Anecdotal:
We signed up with DYNDNS for dynamic dns for the 'constant' address for a couple family sites because my I.P. changed when the wind did. Since, I've had the same address "forever" and even asked my (DSL) ISP how I can get a new one to get rid of the constant attempts mentioned above. Instructions involved "going off-line/powering down" their modem for a time period. I tried it several times, for multiples of their 'period of time' - heh - got the same address! I'll bet the minute I give up dynamic DNS, yep!

Thank you.

User avatar
KernelOops
Posts: 428
Joined: 2013/12/18 15:04:03
Location: xfs file system

Re: Fail2ban reported attempts and options

Post by KernelOops » 2017/07/02 21:22:02

I've had a long experience with that sort of thing, eventually I found out that some countries refuse to do anything about it, especially when the targets are outside of their own network.

Eventually I did something aggressive, I started blocking entire country net blocks. Since I have no clients in those regions, and my clients don't have any communication there, it was a simple and easy solution. I use http://www.ipdeny.com/ to download lists and lost them into firewalld as ipset lists. Easy, efficient and VERY effective.

The only attacks you can't block like that, are the ones using VPN services or some compromised server, but those kind of attacks are few and are mostly used for spam emails.
--
R.I.P. CentOS :cry:
--

Post Reply