Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Netfilter: recidive #3950

Closed
omexlu opened this issue Jan 22, 2021 · 11 comments
Closed

Netfilter: recidive #3950

omexlu opened this issue Jan 22, 2021 · 11 comments
Labels
enhancement

Comments

@omexlu
Copy link

omexlu commented Jan 22, 2021

Hello,

It would be good if repeat offenders could get a definable longer ban.

So this would no longer burden the system.

This givess eg at Fail2ban and should also be implemented here.

If an IP is banned X times, a new ban should last much longer.

Thanks in advance.
@omexlu
Copy link
Author

omexlu commented Jan 25, 2021

Because of the increased current noise floor I have made the following settings until something happens in the direction of the suggestion here:
be0322f5-cdfd-435c-b9ce-f819427f5ffb

@andryyy
Copy link
Contributor

andryyy commented Jan 25, 2021

I like the idea too. I thought about not using netfilter-mailcow for bans anymore but making it the task of the attacked application. I need to check how that could work in this case.

@omexlu
Copy link
Author

omexlu commented Jan 25, 2021

Great idea, the main thing is that it is made more difficult for attackers, with mail servers, the noise is always more violent than with web servers, so automated bots that last brute force or similar should also be banned longer.

By the above image I have in any case currently found for me a solution so that I block attackers access for a week.

I'm sure you find a solution :)

@dragoangel
Copy link
Collaborator

If you ban /24 for ipv4, you better ban /48 for ipv6 :) but to say I never had ipv6 brute force yet at all.

@chriscroome
Copy link
Contributor

I'd like something like this too, there appears to be whole net blocks that are being used to try to brute force mailboxes, for example I had these notifications today:

Wed Feb  3 14:21:41 GMT 2021 - IP ban: 176.111.173.46/32
Wed Feb  3 14:21:42 GMT 2021 - IP ban: 176.111.173.47/32
Wed Feb  3 14:21:43 GMT 2021 - IP ban: 176.111.173.48/32
Wed Feb  3 14:21:44 GMT 2021 - IP ban: 176.111.173.49/32
Wed Feb  3 14:21:44 GMT 2021 - IP ban: 176.111.173.50/32
Wed Feb  3 14:24:43 GMT 2021 - IP ban: 193.169.254.231/32
Wed Feb  3 14:24:44 GMT 2021 - IP ban: 193.169.254.232/32
Wed Feb  3 14:24:45 GMT 2021 - IP ban: 193.169.254.233/32
Wed Feb  3 14:24:46 GMT 2021 - IP ban: 193.169.254.234/32
Wed Feb  3 14:24:46 GMT 2021 - IP ban: 193.169.254.235/32

What I have been doing every few days is limiting my MUA display to just the IP ban emails, I copy all the Subject: lines in to a text file which I then cat and pipe into awk '{ print $16 }' | sort | uniq -c | sort (the blocked IP address is the 16th space separated field), this results in a list of the worst offenders sorted by the number of bans and any IP address that has been blocked 10 or more times I add to the ban list.

It would be awesome if something could be automated around this.

@omexlu
Copy link
Author

omexlu commented Feb 3, 2021

Your application is to much, and iptables get to big after some time if not used ipset, so recidive or something similar is the best way to manage 😊

@chriscroome
Copy link
Contributor

I did have bans set for /24 but @andryyy found that one client with a misconfigured client on the same netblock as another client resulted in one client causing another to be blocked so I have reverted to banning /32.

@bbm-design
Copy link

Hello,
my server have been attacked multiple times, i have now blocked more than 170 ips (some are /24 blocks)
but i'm wondering if it will not make the netfilter slower

i have ipset blocklists on the host machine, but docker is working around it.

what could be the right and most efficient way to implement a good blocking list/process ?

@VermiumSifell
Copy link
Collaborator

This would be nice, should be extremely easy atleast if using Fail2ban instead of Netfilter

@dragoangel
Copy link
Collaborator

dragoangel commented Jan 21, 2023
edited

This would be nice, should be extremely easy atleast if using Fail2ban instead of Netfilter

As data hosted in regis it not hard to extend ban with additional data like expired boolean and repeat ban counter, time of ban expiration in epoch format by UTC, extend key expiration to time equal of time of forgetting the host and this way:

  1. when expired flag is set to false - host is banned
  2. when expired flag is set to true and host going to be banned again repeat ban counter getting +1 and time of ban expiration also get extended, same as key expiration in redis
  3. background job checking for bans to expire based on current time and epoch of bans and puts expired flag to false
  4. each time ban is applied - the time on which apply ban was terminated based on ban counter. If this new host - ban on x, if host already stored in redis - x^, and if counter is 1, then x^2, then x^3 and so on...
  5. key expire and removes by redis automatically when host stopped to bruteforce for time set by user in admin UI.

@dragoangel dragoangel reopened this Jan 21, 2023
@dragoangel
Copy link
Collaborator

sorry, accidentally closed :\

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@chriscroome @dragoangel @andryyy @omexlu @VermiumSifell @bbm-design @FreddleSpl0it