IPSet in addition to univention-firewall

I have a UCS 4.4-1 errata234 server. I am seeing a couple of aggressive, repetative ssh attackers from the same IP addresses in China. I was considering installing IPSet to create a blacklist of IP addresses.

Is anyone using this process? Or, is there another suggested solution to easily manage durable blocking of ip addresses?

Hi @jsatterfield

I’m using fail2ban for that purpose.

Best,
Bernd

Bernd, I am the fail2ban as well. I have the ban time for ssh set for 3600 (1 hour), but, the same chinese ip addresses reappear ever hour with more ssh hacking attempts.

How do you deal with permanently banning repeat offenders?

Hi John (@jsatterfield) ,

I don’t know how you followed this problem… Did you find a solution?
What I did today - so there is no experience in that - added the recidive-jail to my jail.local like:

[recidive]
enabled = true

filter = recidive
action = iptables-allports[name=recidive]
logpath = /var/log/fail2ban.log

# findtime: 1 day
findtime = 86400

# bantime: forever
bantime = -1
maxretry = 15

If I understand correctly what it does (everybody free to correct):

  • looks in the fail2ban logfile for repeating IPs
  • bans them with a different bantime
  • it is not persistent over reboots
  • perhaps 15 is very ‘generous’ for a retry

Best
Bernd

This looks like a potential solution. In the immediate short term, I blocked the entire 222.186.0.0/16 IP range in the univention firewall.

Your solution may be better. I need to try it!

Hi @jsatterfield,

I’m still struggeling with the proper jail.local config. One thing I found today is that the maxretry = 15 is much too high. If I understand the posts in some troubleshooting posts correctly then this means:
15 * maxretry and ban from other jails…
I’ve changed this to maxretry = 3 now.

Nevertheless I don’t quite understand why there was a unban event of the IP address that is attacking my email server.

I will try to look into this regularly…

Best,
Bernd

Mastodon