One thing that surprised me (well shocked me to be honest) after bringing this little site on line was waking up in the morning to find my server access logs had grown by megabytes over night. Closer inspection showed a small number of highly aggressive bots hitting web, mail and sshd servers. One bot alone tried many thousands of user/pass combinations on the email server, firing off up to fifty incoming threads at a time. Presumably it would have tried more but 50 was the server configuration limit.
So I decided to install fail2ban. By default fail2ban only has one rule enabled checking sshd but comes with predefined failure checking filters for most popular server software (web, email ftp etc) and example templates in the configuration file to enable logging of anything else desired. You can set how many failures per time interval are needed to trigger a ban and how long the ban will last. You can choose to ban the user only from that protocol or from all IP access. fail2ban creates rules in the firewall to implement the block.
Well, since turning on monitoring of attempted web, sshd, ftp and email intrusions I’ve been able to get up the next day without finding the odd 10 thousand attempted break-ins. So, so far, so good (touch wood) and I can recommend fail2ban to anyone running any servers with incoming ports open to the Internet.
If you want to be more pro-active there’s a good article “Fail2ban setup for Apache” which shows how to block the bots as soon as they simply scan the site looking for vulnerabilities.
Hopefully that’s me done with the bots for now. Will see how it goes.
81 thoughts on “Battling the Bots – fail2ban seems to work”
I always loved Yes, but on the techno side I preferred the Cars for precision robotics, and I always thought of them as Yes without a soul.
Probably the best lp best song; ‘It’s all I can do’
Ben, If we look at proto-techno we shouldn’t forget the classics
Closely associated with Yes of course.
“Put the blame on VCR
You are the Radio Star”
Genesis after someone apparently gave them some Ecstasy 🙂
Ben.. yes Bono the great public speaker on African poverty… squashes real concerns, and voice of the people…he jumped on Peter Gabriel’s genuine heart felt humility, Jim kerr of simple minds Kinda tried it on too, but both of them with nothing like Gabriel’s persistence in actions ,and music.. but Whatever happened to the Elder’s project…much silence there
i once took a hefty sculpture i made – that represents Stephen Biko – on the effin train…. to let Jim kerr see it backstage, as wee had word he was interested in it… but turns out he thought it was a gift – taxi after missing last train taxi driver was kinda generous…but still had to carry the sculpture up hill about a fucking mile
AA… we seen Rick live in GREENOCK of all places, it was a clasical tour thingy…whata guy, and his patter ( chat ) is top class Lol
any way Dudes, as it’s a new Weekend, and ( Peacable at least hereabouts – touch wood ) check this amazing video out…heart strings stuff
Like prisoners emerging from a lifetime behind bars, a group of chimpanzees step blinking into the sunlight. This is the first time they have felt grass under their feet and breathed fresh air for 30 years.
Watch oot for the Hugging of each other @ 1;25 in just awsome…poor wee things….its happy and yet sad too i think
New post up http://squonk.tk/blog/2013/11/09/bbc-news-yasser-arafat-may-have-been-poisoned-with-polonium/
Live Olympic Torch Space Walk http://www.ustream.tv/nasahdtv
AA; Region 3 (Northeast; NY, NJ etc) is apparently going to pass through the remnant of tail. Question is; why wouldn’t they have the same exercises in Oregon/Washington.
Hiya, I’m just checking in, saying hello.
I’m in Glasgow. I needed directions, so I asked a couple of those “Community Support” or whatever they’re called Non-police police people. They were on bicycles. One of them told me I was in the East End of Glasgow, an I should leave as soon as possible because it’s so dangerous!
I wonder if I should make a complaint. They were friendly, polite and helpful, but should they really say things like that? Does it help, trying to send law-abiding people away? Doesn’t it heighten tensions?
UK government covering up torture:
” I am hopeful that, with the internet still largely free to the dissemination of information, out next massive whistleblower is only weeks away.”
The crack in the dam. That’s what Snowden did. he dared create a fissure. I don’t care what anyone says, he’s a hero, not a charlatan. He has opened up not just files but actual, factual dialogue and dispute amongst the elite. Unheard of.
Thanks for giving me something to dine on this evening.
Could it be removing the rods from #4 is a distraction from the really, really big problem….#3?
500 hundred pounds of plutonium and tons of uranium nanosized, and made airborne. No need to remove the rods from 3 so it’s all good.
“So what can I report? Mainly that I feel somewhat reassured by what I have seen. The preparations for the fuel removal appear meticulous.”
It’s being set-up as a success story, AA. All the drama around the rod-removal will have a happy, happy ending to public concern.
By the way I’ve had to disable unregistered comments on the forum as the spammers were getting through too often. and I really wasn’t in need of a lifetime supply of scented soap however attractively priced!
You’re very neat and tidy, AA. Nary a single spam, have I seen.
AA; How about some speculation on the six-tailed Green Dragon?
Ben, Maybe a bit of space speculation later. Pre-occupied with a few things right now.
I can keep an eye on the spam from the phone. Most of it enters the moderation queue but some unregistered posts on the forum were going straight through for some reason. I have notification set up so my phone bleeps every time there is a new post or moderation decision needed at the blog but can’t do that on the forum unless I wanted to spend my time rejecting unregistered posts all day. There are currently also what appear to be three stealth bots on the forum as well: “GymnNeereelay,soapszima ,Dondiettetosy” They have registered correctly but have yet to post.
My opinion is that meltdowns are still in progress at Fukushima. There definitely were meltdowns, and nothing has been reported that would change that, so I assume that the meltdowns continue.
What could extinguish such meltdowns? The molten cores would need to be dispersed somehow. A robot with a big ladle, perhaps? I think they’ll have to blow them apart with explosives eventually, but they don’t want to draw attention.
Clark; As to #3? You think there was a meltdown? It seems the fuel was vaporized in the explosion. Ironic that it seems safer than a meltdown, but not being a techie it’s beyond me.
Heh. OK, then, later AA.
It’s amazing how botulism thrives in a non-oxygenated environment, and microbes survive absolute zero temps as they hitchhike across the cosmos. Also incredibly prescient of ‘Andromeda Strain’ to address viral extraterrestrials in 1969.
I don’t think Maduro is incapable of governing, but this makes me wonder…
“(Reuters) – Venezuelan President Nicolas Maduro’s socialist government “occupied” a chain of electronics stores on Saturday in a high-profile crackdown on what it views as price-gouging hobbling the country’s economy.
Authorities arrested various managers of the five-store, 500-employee Daka chain, sent soldiers into the shops, and forced the company to start selling products at cheaper prices.”
This resonates in so many dimensions. Clapton is by far, my fav musical artist. Lyrics and arrangement never disappoint. Pilgrim was his darkest work after he rose from the ashes with Unplugged, and began his return from the abyss. Dark but beautiful in the expression of grief, but this piece is poignant without apology. By this time, this white artist, had earned some creds for the Blues.
Check out this Video Re Fukushima…. OMG
Great shot of Our six tailed one here.
Doods; We’re gettin’ way too serious. Howzit, Brian, AA? Slow fucking news day.
As a news junkie, thats a withdrawal peril. Been scratchin’ the cat fever with gold powder dreams, and archetypal duality on the benign vs the malevolent nature of our cosmos. Still undecided. In the meantime, another of my favs; Michael McDonald. Vocals and lyrics AND arrangement perfection (in the main, but of course not this selection)……….
On a lighter note then. New post
Just noticed a stealth bot has been trying to break into the squonk mail-server for the last week. It connected at intervals long enough to evade the rules in fail2ban and didn’t cause the mail log files to grow fast enough for me to spot it manually without closer inspection. IP address in Germany from a hosting provider seemingly known for running bots and hosting malicious code. IP address already in various “bad” databases and Google tells me that the domain has been found to be hosting viruses within the last week. fail2ban rules now updated with longer detection scope/ban length and it is gone now.
Squonk I am getting that security certificate warning again. Not when I click on to your website but when I go to comments. ?? As I type the address bar is coloured red and marked ‘certificate error’.
Is the mailbot thing you have been getting this as reported on the BBC website or some other?
Cryptolocker ransomware has ‘infected about 250,000 PCs’
Best wishes for 2014 and thanks for hosting us.
Thanks for that report Mary. I’ve switched recent comments back to the standard display while I investigate. Probably a bug in the new comments plugin but I’ll see what I can do to get it sorted.
What the mailbots do is try brute force username and password attacks against the server. Simply trying as many combinations as it can. Once they have a working username and password for an email account they can download all your email to look for passwords etc in that for other accounts. They can also send spam from your email account which could contain any virus including crypto-locker.
Most of these attacks are easy to spot as they try sometimes thousands of combinations per hour and stick out a mile in log files if anyone even glances at them. This one was different in that it only tried a new one after a reasonable interval but, to compensate, was doing that for days before I noticed it.
Comments are closed.