[plug] 21nails and exim4

stinga stinga at wolf-rock.com
Sun May 9 13:43:37 AWST 2021 

G'day,

Don't use F2B, but do have a custom bit of code that tracks attempts to 
connect and if invalid they get blocked.
I block about 359 in a 24 hour period and after a secret predetermined 
number of attempts they get blocked on a permanent basis about 37 in a 
24 hour period
Currently have 13238 ip's listed that are blocked on ssh and mail ports.

On average it permanently blocks about 1000 IPs a month

On 09/05/2021 08:00, William Kenworthy wrote:
> Hi Brad,
>
> I am finding firewalling in general is a big pain these days and getting
> less and less useful because of phones and IoT devices.
>
> BillK
>
>
> On 9/5/21 2:10 am, Brad Campbell wrote:
>> The release of the 21nails vulnerability list got me to get off my backside and upgrade a few servers. A job I've been putting off for "a while" (read as nearly a year past "end of support"). The additional default logging identified a swathe of attacks against the SMTP servers that, while I was aware of I never really paid attention to the magnitude.
>>
>> As a result I finally installed fail2ban. Within half an hour of installing fail2ban I observed the attacks had changed in nature explicitly to evade the default fail2ban behaviour (on debian/devuan, 5 hits in 10 minutes gives a 10 minute ban). I altered the default jail time from 10 minutes to 60 minutes, and the bloody attacks adapted again. I know it's not just them hammering the port until fail2ban removes the iptabes rule as I've watched it happen with tcpdump.
>>
>> These bots are getting clever!
>>
>> Brad
>>
>>

-- 
'ooroo

Stinga...(:)-)
---------------------------------------------------
Email: stinga at wolf-rock.com         o
You need only two tools.        o /////
A hammer and duct tape. If it    /@   `\  /) ~
doesn't move and it should use  >  (O)  X<  ~  Fish!!
the hammer. If it moves and      `\___/'  \) ~
shouldn't, use the tape.           \\\
---------------------------------------------------

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20210509/16c2cfa4/attachment.html>

More information about the plug mailing list