Battling the Bots – fail2ban seems to work

One thing that surprised me (well shocked me to be honest) after bringing this little site on line was waking up in the morning to find my server access logs had grown by megabytes over night. Closer inspection showed a small number of highly aggressive bots hitting web, mail and sshd servers. One bot alone tried many thousands of user/pass combinations on the email server, firing off up to fifty incoming threads at a time. Presumably it would have tried more but 50 was the server configuration limit.

So I decided to install fail2ban. By default fail2ban only has one rule enabled checking sshd but comes with predefined failure checking filters for most popular server software (web, email ftp etc) and example templates in the configuration file to enable logging of anything else desired. You can set how many failures per time interval are needed to trigger a ban and how long the ban will last. You can choose to ban the user only from that protocol or from all IP access. fail2ban creates rules in the firewall to implement the block.

Well, since turning on monitoring of attempted web, sshd, ftp and email intrusions I’ve been able to get up the next day without finding the odd 10 thousand attempted break-ins. So, so far, so good (touch wood)  and I can recommend fail2ban to anyone running any servers with incoming ports open to the Internet.

fail2ban output log

Output log from an older version of fail2ban from Wikipedia showing fail2ban at work

If you want to be more pro-active there’s a good article “Fail2ban setup for Apache” which shows how to block the bots as soon as they simply scan the site looking for vulnerabilities.

Hopefully that’s me done with the bots for now. Will see how it goes.

81 thoughts on “Battling the Bots – fail2ban seems to work

  1. Ben.. yes Bono the great public speaker on African poverty… squashes real concerns, and voice of the people…he jumped on Peter Gabriel’s genuine heart felt humility, Jim kerr of simple minds Kinda tried it on too, but both of them with nothing like Gabriel’s persistence in actions ,and music.. but Whatever happened to the Elder’s project…much silence there

    i once took a hefty sculpture i made – that represents Stephen Biko – on the effin train…. to let Jim kerr see it backstage, as wee had word he was interested in it… but turns out he thought it was a gift – taxi after missing last train taxi driver was kinda generous…but still had to carry the sculpture up hill about a fucking mile

    AA… we seen Rick live in GREENOCK of all places, it was a clasical tour thingy…whata guy, and his patter ( chat ) is top class Lol

    any way Dudes, as it’s a new Weekend, and ( Peacable at least hereabouts – touch wood ) check this amazing video out…heart strings stuff

    Like prisoners emerging from a lifetime behind bars, a group of chimpanzees step blinking into the sunlight. This is the first time they have felt grass under their feet and breathed fresh air for 30 years.

    Watch oot for the Hugging of each other @ 1;25 in just awsome…poor wee things….its happy and yet sad too i think

  2. Hiya, I’m just checking in, saying hello.

    I’m in Glasgow. I needed directions, so I asked a couple of those “Community Support” or whatever they’re called Non-police police people. They were on bicycles. One of them told me I was in the East End of Glasgow, an I should leave as soon as possible because it’s so dangerous!

    I wonder if I should make a complaint. They were friendly, polite and helpful, but should they really say things like that? Does it help, trying to send law-abiding people away? Doesn’t it heighten tensions?

  3. The crack in the dam. That’s what Snowden did. he dared create a fissure. I don’t care what anyone says, he’s a hero, not a charlatan. He has opened up not just files but actual, factual dialogue and dispute amongst the elite. Unheard of.


    Thanks for giving me something to dine on this evening.


    I have recently received a new sophisticated radiation monitor sent from London, which has now had its first outing in the field. You can point it at things and it tells you how many “counts per second” of radiation the object is giving off.

    …As our bus left reactor four and drove along the sea front, I pointed my new monitor out of the window towards reactor building three. Suddenly the needle started to spike – 1,000 counts per second, then 2,000, 3,000, finally it went off the scale.

    There, outside the bus, just a few dozen meters away is the real dead zone, a place where it is still far too dangerous for anyone to go. No human has been inside reactor three since the disaster. To do so would be suicide. No-one knows when it will be possible to go in.

    When I asked the same experts how long it would be until reactors one, two and three could be dismantled, they shook their heads. When I asked them where they thought the melted reactor cores were, they shook their heads again.

    Tokyo Electric Power Company was happy to show us reactor four, but please do not ask what they intend to do with reactors one, two and three.

  5. “So what can I report? Mainly that I feel somewhat reassured by what I have seen. The preparations for the fuel removal appear meticulous.”

    It’s being set-up as a success story, AA. All the drama around the rod-removal will have a happy, happy ending to public concern.

  6. By the way I’ve had to disable unregistered comments on the forum as the spammers were getting through too often. and I really wasn’t in need of a lifetime supply of scented soap however attractively priced!

  7. Ben, Maybe a bit of space speculation later. Pre-occupied with a few things right now.

    I can keep an eye on the spam from the phone. Most of it enters the moderation queue but some unregistered posts on the forum were going straight through for some reason. I have notification set up so my phone bleeps every time there is a new post or moderation decision needed at the blog but can’t do that on the forum unless I wanted to spend my time rejecting unregistered posts all day. There are currently also what appear to be three stealth bots on the forum as well: “GymnNeereelay,soapszima ,Dondiettetosy” They have registered correctly but have yet to post.

  8. My opinion is that meltdowns are still in progress at Fukushima. There definitely were meltdowns, and nothing has been reported that would change that, so I assume that the meltdowns continue.

    What could extinguish such meltdowns? The molten cores would need to be dispersed somehow. A robot with a big ladle, perhaps? I think they’ll have to blow them apart with explosives eventually, but they don’t want to draw attention.

  9. Clark; As to #3? You think there was a meltdown? It seems the fuel was vaporized in the explosion. Ironic that it seems safer than a meltdown, but not being a techie it’s beyond me.

  10. I don’t think Maduro is incapable of governing, but this makes me wonder…

    “(Reuters) – Venezuelan President Nicolas Maduro’s socialist government “occupied” a chain of electronics stores on Saturday in a high-profile crackdown on what it views as price-gouging hobbling the country’s economy.

    Authorities arrested various managers of the five-store, 500-employee Daka chain, sent soldiers into the shops, and forced the company to start selling products at cheaper prices.”

  11. This resonates in so many dimensions. Clapton is by far, my fav musical artist. Lyrics and arrangement never disappoint. Pilgrim was his darkest work after he rose from the ashes with Unplugged, and began his return from the abyss. Dark but beautiful in the expression of grief, but this piece is poignant without apology. By this time, this white artist, had earned some creds for the Blues.

  12. Doods; We’re gettin’ way too serious. Howzit, Brian, AA? Slow fucking news day.

    As a news junkie, thats a withdrawal peril. Been scratchin’ the cat fever with gold powder dreams, and archetypal duality on the benign vs the malevolent nature of our cosmos. Still undecided. In the meantime, another of my favs; Michael McDonald. Vocals and lyrics AND arrangement perfection (in the main, but of course not this selection)……….

  13. Just noticed a stealth bot has been trying to break into the squonk mail-server for the last week. It connected at intervals long enough to evade the rules in fail2ban and didn’t cause the mail log files to grow fast enough for me to spot it manually without closer inspection. IP address in Germany from a hosting provider seemingly known for running bots and hosting malicious code. IP address already in various “bad” databases and Google tells me that the domain has been found to be hosting viruses within the last week. fail2ban rules now updated with longer detection scope/ban length and it is gone now.

  14. Squonk I am getting that security certificate warning again. Not when I click on to your website but when I go to comments. ?? As I type the address bar is coloured red and marked ‘certificate error’.

    Is the mailbot thing you have been getting this as reported on the BBC website or some other?
    Cryptolocker ransomware has ‘infected about 250,000 PCs’

    Best wishes for 2014 and thanks for hosting us.

  15. Thanks for that report Mary. I’ve switched recent comments back to the standard display while I investigate. Probably a bug in the new comments plugin but I’ll see what I can do to get it sorted.

    What the mailbots do is try brute force username and password attacks against the server. Simply trying as many combinations as it can. Once they have a working username and password for an email account they can download all your email to look for passwords etc in that for other accounts. They can also send spam from your email account which could contain any virus including crypto-locker.

    Most of these attacks are easy to spot as they try sometimes thousands of combinations per hour and stick out a mile in log files if anyone even glances at them. This one was different in that it only tried a new one after a reasonable interval but, to compensate, was doing that for days before I noticed it.

Comments are closed.