[plug] 21nails and exim4

William Kenworthy billk at iinet.net.au
Sun May 9 08:00:05 AWST 2021 

Hi Brad,

I am finding firewalling in general is a big pain these days and getting
less and less useful because of phones and IoT devices.  I have found
that the longer you run F2B that the rate of probes drops a lot but you
only need to appear on the Internet for few probes and the cycle starts
again :(  I do suspect they randomly throw packets at every possible
internet address waiting for a host to appear so it can receive
attention.  To me the value of F2B is that once it triggers, I am
invisible to and have nothing to do with that host for a considerable time.

Set F2B to be on a hair trigger and significantly increase the ban and
especially the recidive ban times helps - at least during the ban times
they cant get anything useful.  I am also using ipset ban lists from
"firehol" also feeding F2B to increase the coverage.  The problem is, as
with any reactive setup it takes maintenance with white and blacklists
and you get an occasional self-DOS.

I don't do anything with ipv6 (just blackhole everything coming in/out)
- can anyone comment if its better or worse than ipv4? 

BillK


On 9/5/21 2:10 am, Brad Campbell wrote:
> G'day all,
>
> The release of the 21nails vulnerability list got me to get off my backside and upgrade a few servers. A job I've been putting off for "a while" (read as nearly a year past "end of support"). The additional default logging identified a swathe of attacks against the SMTP servers that, while I was aware of I never really paid attention to the magnitude.
>
> As a result I finally installed fail2ban. Within half an hour of installing fail2ban I observed the attacks had changed in nature explicitly to evade the default fail2ban behaviour (on debian/devuan, 5 hits in 10 minutes gives a 10 minute ban). I altered the default jail time from 10 minutes to 60 minutes, and the bloody attacks adapted again. I know it's not just them hammering the port until fail2ban removes the iptabes rule as I've watched it happen with tcpdump.
>
> These bots are getting clever!
>
> Brad
>
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://lists.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.org.au
> PLUG Membership: http://www.plug.org.au/membership

More information about the plug mailing list