By the way ... same attacks are also carried out for postfix sasl with changing IP addresses, so I have set in F2B postfix_sasl to:
maxretry = 1
Currently, massive attacks on western servers are being carried out everywhere, checks for blacklisted IPs (DNSBL lists) are intermittently no longer possible ... today multirbl.valli.org was repeatedly not accessible anymore
I switched from fail2ban to crowdsec. And with one of the next releases also blocklists will be supported within crowdsec.
Can CrowdSec completely replace fail2ban actions and should fail2ban be removed when using CrowdSec?
Do you have good experiences with it and does it work better than fail2ban?
one more blacklist:
that's what I mean
the IP address does not appear twice on the same day ...
and in the background all possible passwords can be tested, day after day
hmm, works but only with a high CPU load due to the findtime 1d, 1w etc. F2B is running with 100% CPU load ... so it's not a good solution
Not a perfect solution, but if all the IPs are from countries you don't work with (or your customers), block the whole country 😅
Thanks, I'm already using such country ipsets, this case is difficult because each request comes from a different IP address & country.
I'm trying to improve my jail.local to block repeat offenders w/ increased ban times:
http://blog.shanock.com/fail2b…mes-for-repeat-offenders/
However, filtering and blocking a huge botnet is almost impossible ...
The attacks have become more and more sophisticated lately, I took a closer look at the logs today and found that most attacks are now being carried out via botnets. The IP addresses are therefore changing every minute and a blocking via Fail2ban is becoming difficult without locking out regular customers.
So Fail2ban is bypassed by botnets and another solution is needed ...
does anyone have an idea?
check out:
tail -n 50000 /var/log/fail2ban.log | grep wordpress
tail -n 50000 /var/log/fail2ban.log | grep postfix
tail -n 50000 /var/log/fail2ban.log | grep postfix
tail -n 50000 /var/log/fail2ban.log | grep dovecot
tail -n 50000 /var/log/fail2ban.log | grep postfix-sasl
etc.
OK, panel, postfix, dovecot, proftpd and apache2 are reachable over IPv6 and Gmail also accepts IPv6 connections w/ valid ipv6 SPF include.
I use external PDNS name servers, these are not yet set or registered to ipv6.
Must the name servers resolve to ipv6 addresses or should mail ipv6 be deactivated if n1.mydomain.tld and ns2.mydomain.tld only resolve to ipv4 currently?
All of my DNS zone records all have valid AAAA entrys, except ns1 and ns2 itself.
Update: Saw that you added it automatically - remove it and add the address manually. Also change/adjust your network settings based on my example and all should be fine
Seems to work now, I had to reboot because of the pervious auto setting a different IP was created ...
This is a Hetzner cloud, so I can configure the network statically but only with ipv4, after that the ipv6 resolution no longer works. But the IP addresses are still fixed, I think it works with the Hetzner standard network cloud configuration - everything is OK in the I-mscp panel now ... or what do you think about it?
The resolution still works, should the IPv6 also be into /etc/hosts?
You do not have to - it is only for "monitoring" the services over the I-MSCP backend - some kind of status page within I-MSCP.
But I suggest to add the address under:
* Settings -> Address Management
Thank you!
the problem is, I can not select eth0:0 and with eth0 it shows some info icons to change afterwards.
auto eth0:0
iface eth0:0 inet6 static
