Hi,

My site was constantly under attack for .ru based IPs looking for
/mambots/search.php. I was using Joomla on this website and my website was hacked one time.

I created a new filter in filter.d as apache-404.conf, create a new entry in jail.conf

[apache-404]

enabled = true
filter = apache-404
action = iptables[name=WWW, port=http, protocol=tcp]
sendmail-whois[name=www, dest=richard@mydomain.net, sender=fail2ban@mydomain.net]
logpath = /var/log/httpd/access_log
maxretry = 2


working all fine ... this is really great.

Richard

Just to give an idea ..with 5 minutes 10 hosts were blocked.

So you can imagine the constant attacks ..


Richard

fail2ban does not provide any added security. It merely helps keeps your log files clean. If you were hacked without it, and haven't fixed the underlying problem, you'll be hacked with it.

fail2ban doesn't provide any security? What's the "ban" part then?

I agree that it won't stop vulnerable code from being exploited, but that should stop attemps to brute force passwords. Or do you know something I don't?

The "ban" part is what keeps your log files a bit cleaner. It won't stop a botnet from brute forcing a password, and since it removes bans after a few minutes, even for single hosts it only slows down brute force attempts. If you're afraid of brute forced passwords, switch to key-based auth.

fail2ban does not provide any extra security; anybody relying on it for this purpose is in for a nasty surprise.

You'd be better off with http://www.modsecurity.org/ to protect from potential exploits. Of course nothing beats well written code

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue

Maybe you're using it differently than I am, but my fail2ban watches logs, and when someone fails more than the specified amount, it adds a iptables filter to block them. So I have no idea what you're talking about.

So what happens if they have a bot net with 100 ips and say your script blocks after 5 bad attempts, they have 500 attempts to crack you.

Something like mod sec filters every bad request stopping the exploit, fail2ban only prevents things like log flooding and DoS attacks (not so good at DDoS)

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue

Be sure to let us know if you find some.

I use both fail2ban and iptables rate limiting.

These sites are helpful too:

http://www.countryipblocks.net/
http://www.okean.com/thegoods.html

I'm not saying installing fail2ban will give your server magical protection. But assuming a server with fail2ban vs one without, fail2ban increases security. Given your example, I'd rather them have 500 attempts than the fairly unlimited number they'd otherwise have.

While it's useful to point out the limitations of security techniques, broad statements like "fail2ban doesn't increase security" are counterproductive.

Security is like an onion. There are layers, and no single layer is going to do all the work. fail2ban is just a layer, albeit a feeble one.

But, by default at least, they *do* have an unlimited number of tries. fail2ban removes bans after a few minutes for several reasons. This is ignoring the fact that large botnets can have millions of compromised machines... But they don't even need that many.

The default setting for fail2ban is 600 seconds per ban after 3 tries.

Let's say they want to hit you 10 times per second. This would require only 2000 machines, which is tiny for a botnet.



It's not counterproductive, it's a productive warning to say "Don't rely on fail2ban, it provides no added security, at best it merely slows down brute force attacks but does nothing to prevent them."

A false sense of security is dangerous.

Correct me if I'm wrong, but "slow(ing) down brute force attacks" sounds suspiciously like security to me. Arguing counter to that is like arguing that having a lock on your door doesn't secure your house. Anyone who wants to get in will quickly and easily bypass your lock, but you don't see many people arguing for lockless front doors.

The only way to prevent brute force attacks in the manner you seem to be implying is to turn off your server. As long as you have open ports, someone will be able to jump through hoops and brute force you if they want to badly enough.

No, having fail2ban on your house means you have a guy by the door who takes away the burglars keyring after he tries three incorrect keys, but then gives it back 10 minutes later.

_________________
/ Peter