Botnet attacks - Fail2ban useless!

  • I removed fail2ban and switched completely to CrowdSec.


    CrowdSec will recognize attacks on your system, and can block them by service or also to block the IP for the entire server. That depends how you configure the system. And you could also integrate the community lists, so attackers who are already recognized on other CrowdSec systems will be shared with your system. Hence the name crowdsecurity, you get the lists also from the crowd.


    On the CrowdSec Hub you could see what Collections, Configurations and Bouncers are available. You can configure your systems how you like.


    I haven't compared which one is better, but CrowdSec is a new and modern way for blocking attackers. For example for the log4j vulnerability it took only some hours and a new log4j block scenario was released.


    Here also some more informations.

    Patched i-MSCP 1.5.4 on Debian Stretch | Apache 2.4.52 | Nginx 1.21.4 | OpenSSL 1.1.1 | php 7.0 - 8.1 | Dovecot 2.3.17.1 | Bind 9.16.25 | Postfix 3.1.15 | MariaDB 10.1.48 | ProFTPD 1.3.5b | Rspamd 2.7 | ClamAV 0.103.4 | Roundcube 1.5.2 | CrowdSec 1.3.0

  • By the way ... same attacks are also carried out for postfix sasl with changing IP addresses, so I have set in F2B postfix_sasl to:

    maxretry = 1

    Currently, massive attacks on western servers are being carried out everywhere, checks for blacklisted IPs (DNSBL lists) are intermittently no longer possible ... today multirbl.valli.org was repeatedly not accessible anymore

    https://multirbl.valli.org/lookup/