Botnet attacks - Fail2ban useless!

  • The attacks have become more and more sophisticated lately, I took a closer look at the logs today and found that most attacks are now being carried out via botnets. The IP addresses are therefore changing every minute and a blocking via Fail2ban is becoming difficult without locking out regular customers.

    So Fail2ban is bypassed by botnets and another solution is needed ...

    does anyone have an idea?


    check out:

    tail -n 50000 /var/log/fail2ban.log | grep wordpress

    tail -n 50000 /var/log/fail2ban.log | grep postfix

    tail -n 50000 /var/log/fail2ban.log | grep postfix

    tail -n 50000 /var/log/fail2ban.log | grep dovecot

    tail -n 50000 /var/log/fail2ban.log | grep postfix-sasl

    etc.

  • Not a perfect solution, but if all the IPs are from countries you don't work with (or your customers), block the whole country 😅

    Thanks, I'm already using such country ipsets, this case is difficult because each request comes from a different IP address & country.

    I'm trying to improve my jail.local to block repeat offenders w/ increased ban times:

    http://blog.shanock.com/fail2b…mes-for-repeat-offenders/


    However, filtering and blocking a huge botnet is almost impossible ...

  • that's what I mean

    Code
    1. 181.53.12.11 - - [30/Jan/2022:12:56:25 +0100] "POST /wp-login.php HTTP/1.1" 200 2950 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36"
    2. 102.140.230.72 - - [30/Jan/2022:12:56:30 +0100] "POST /wp-login.php HTTP/1.1" 200 2950 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36"
    3. 27.34.25.97 - - [30/Jan/2022:12:56:43 +0100] "POST /wp-login.php HTTP/1.1" 200 2950 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"
    4. 156.198.135.15 - - [30/Jan/2022:12:57:01 +0100] "POST /wp-login.php HTTP/1.1" 200 2968 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0"
    5. 46.56.206.143 - - [30/Jan/2022:13:07:51 +0100] "POST /wp-login.php HTTP/1.1" 200 2969 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15"
    6. 49.149.67.65 - - [30/Jan/2022:13:08:24 +0100] "POST /wp-login.php HTTP/1.1" 200 2951 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0"

    the IP address does not appear twice on the same day ...

    and in the background all possible passwords can be tested, day after day

  • I use https://www.abuseipdb.com/ with ipset/iptables with confidenceMinimum=49 and i block all tor exit nodes and the spamhaus drop list

    A lot less problems with spammer/hacked websites/...



    Against the wp-login.php brute force i use sometimes mod_qos (not at all sites - webdesigner could run into this qos too)


    SetEnvIf Request_URI ^/xmlrpc.php LimitWpXmlRpc

    QS_ClientEventLimitCount 10 120 LimitWpXmlRpc

    SetEnvIf Request_URI ^/wp-login.php LimitWpLogin

    QS_ClientEventLimitCount 10 120 LimitWpLogin


    If i have a customer whos a real target of a botnet than only a hetzner/ovh VM behind cloudflare is a solution and the hope thats the botnet is fast switching to the new target...

  • CSF and LFD may be also an alternative: https://www.configserver.com/cp/csf.html


    Pros:

    * Easy to maintain

    * Bruteforce detection

    * Customizable with regex

    * Build in Firewall, which is easy to configure

    * Can work with any CMS which logs bad login attemptions (Custom Log and Custom Rules)


    Cons:

    * Firewall is limitted to in- and outgoing - not a blocker for I-MSCP