0

I'm using fail2ban 0.10.0 and with it I'm able to trigger some actions to block bruteforce attempts from a given single origin (with the HOST tag).

But suppose someone has control over an entire /24 block and is using it to make his bot based bruteforce attacks. Using a fairly reasonable config with findtime = 3600 and maxretry = 3 the attacker still could do about 4 tries per minute without repeating his source address (and without triggering a fail2ban action), and then start over again as the findtime would have expired.

My question: while filtering, is there some way to make fail2ban aware of a given IP block (like a /24) and make findtime and maxretry valid for any address inside this range so it would trigger the action?

For example:

INFO    [postfix-sasl] Found 1.1.1.1
INFO    [postfix-sasl] Found 1.1.1.2
INFO    [postfix-sasl] Found 1.1.1.3
NOTICE  [postfix-sasl] Ban 1.1.1.0/24

Thanks for the help!

Daichi42
  • 55
  • 1
  • 2
  • 6
  • You can't reliably use individual ip-address to determine how the owner of the ip-range that ip-address comes from has divided that range in subnets. - For instance 3 sequential IP-addresses can belong to a subnet as small as a /27 with the remaining addresses 1.1.1.9 -1.1.1.255 divided into a number of similarly small or larger subnets belonging to a number of other users... – HBruijn Jan 19 '18 at 19:08
  • I'm aware of that, but I'm considering the chances of banning a malicious IP range are FAR superior than banning a false-positive, based on the current behaviour of the attempts. But nevermind the strategy used, my question is if fail2ban is able to do something like that. – Daichi42 Jan 19 '18 at 19:40
  • Not to mention, we rarely see this in the real world anyway. Attackers generally use botnets with compromised PCs all around the world and there is no relation between their IP addresses. – Michael Hampton Jan 19 '18 at 19:44
  • Well, I'm asking this based on some evidence. While is true that infected PCs are used for attacks, it is also true that cloud-based services are also used for that, and they assign dynamic IPs to hosts within their ranges. – Daichi42 Jan 19 '18 at 19:52
  • Yes Fabian, I did my research but nothing I found could help me achieve it. Thanks for the link though. – Daichi42 Jan 19 '18 at 20:05

1 Answers1

0

Is this on port 25 (SMTP) or port 587 (Submission)? I have had scanns on port 25, but haven't noticed any significant scans on port 587. Disabling AUTH on port 25 and requiring STARTTLS before AUTH may reduce the attacks.

I do have ongoing scans on my IMAP server. I am using tcpwrappers with a GeoIP filter to limit the countries from which users can connect. This could also be applied to port 587, but I haven't seen the need yet.

I am not aware of any available module for fail2ban, it should be relatively easy to modify the address witht the python ipaddress module. The ip_network method can do the conversion for you. There is a backport from Python3 available for Python2. The likely place to apply this would be in the code that reports the found addresses.

BillThor
  • 27,737
  • 3
  • 37
  • 69
  • Thanks for the reply Bill. I see attempts on both 25 and 587, the above (postfix-sasl) was only an example. I've been able to reduce spams and bruteforce attempts by using GeoIP for some time now, but there are countries that I can't ban permantently. I guess I'll try to read the code and see if it can be done easily. Thanks again! – Daichi42 Jan 22 '18 at 12:53