0

I am running an Ubuntu 20.04 Lemp server, with postfix/dovecot. I have fail2ban set up so that if 2 unsuccessful loging attempts to my email are made by the same ip address, fail2ban bans the ip's from accessing anything on my server. However, In my postfix logs, I have noticed tor traffic trying to access my email server. The problem with this is that since tor ip's are constantly changing, fail2ban fails to detect the same IP guessing passwords, even though it is most likely the same user using tor to make connection attempts. I am wondering if there is a way to block tor traffic with fail2ban, or block it completely from my LEMP server, so that no tor traffic can make connection attempts to my email server.

DanRan
  • 73
  • 1
  • 3
  • 22

1 Answers1

1

Normally you use fail2ban to generate an IP blocklist based on abuse patterns found in your own log files.

Your use case is different and I wouldn't use fail2ban for that.

The TOR network provides a ready made list of current TOR exit nodes here https://check.torproject.org/torbulkexitlist

Simply download and refresh that list regularly and use that as input for a separate IP blocklist, as separate iptables rules.

 wget https://check.torproject.org/torbulkexitlist

The most efficient way to make and maintain an iptables rule with such a list of unique IP's is with ipset.

 ipset create blacklist-tor     hash:ip hashsize 65536

 ipset create blacklist-tor-tmp hash:ip hashsize 65536

Use a temporary ipset when adding IP's

 ipset flush  blacklist-tor-tmp

 for TOR_IP in $(cat torbulkexitlist) ;  do ipset add blacklist-tor-tmp $TOR_IP) ; done

Atomically activate the list with latest IP's with the ipset swap funtion: :

 ipset swap blacklist-tor-tmp blacklist-tor

And then create/add a single rule that checks the ipset for TOR exit nodes and categorically block those:

 iptables -I INPUT_direct -p tcp -m multiport --dports 25,587,110,995,143,993 -m set --match-set blacklist-tor  src -j REJECT --reject-with icmp-port-unreachable
Rob
  • 1,175
  • 1
  • 7
  • "And then create/add a single rule that checks the ipset for TOR exit nodes and categorically block those:" I am using UFW, not iptables. Is there a way to do this with UFW? Or can I use UFW and iptables at the same time? – DanRan Aug 08 '22 at 16:52
  • UFW is a front-end to iptables. I don't think the UFW framework has native support for ipset based rules, but UFW supports adding raw rules to add non-standard rules such as the one using ipset lists. – HBruijn Aug 09 '22 at 07:29
  • Thank you, but I am still a bit confused. Would UFW Raw rules be that of those rules added to /etc/ufw/before.rules? such as .... -I INPUT_direct -p tcp -m multiport --dports 25,587,110,995,143,993 -m set --match-set blacklist-tor src -j REJECT --reject-with icmp-port-unreachable ? – DanRan Aug 11 '22 at 17:50
  • ^^^^^^^^^^^^^^^^^^^^^ @HBruijn – DanRan Jan 03 '23 at 19:22