Botnet attacks - Fail2ban useless!

mrpink · Feb 2nd 2022

I removed fail2ban and switched completely to CrowdSec.

CrowdSec will recognize attacks on your system, and can block them by service or also to block the IP for the entire server. That depends how you configure the system. And you could also integrate the community lists, so attackers who are already recognized on other CrowdSec systems will be shared with your system. Hence the name crowdsecurity, you get the lists also from the crowd.

On the CrowdSec Hub you could see what Collections, Configurations and Bouncers are available. You can configure your systems how you like.

I haven't compared which one is better, but CrowdSec is a new and modern way for blocking attackers. For example for the log4j vulnerability it took only some hours and a new log4j block scenario was released.

Here also some more informations.

**fulltilt** · Feb 5th 2022

By the way ... same attacks are also carried out for postfix sasl with changing IP addresses, so I have set in F2B postfix_sasl to:

maxretry = 1

Currently, massive attacks on western servers are being carried out everywhere, checks for blacklisted IPs (DNSBL lists) are intermittently no longer possible ... today multirbl.valli.org was repeatedly not accessible anymore

https://multirbl.valli.org/lookup/

**Eyecu** · Feb 12th 2022

Quote from mrpink

I switched from fail2ban to crowdsec. And with one of the next releases also blocklists will be supported within crowdsec.

CrowdSec - The open-source & collaborative IPS

Any issues with the switch to crowdsec...any advice on setup or configuration you found in the switch?

Botnet attacks - Fail2ban useless!

Share

Daily visitors