On Thursday 13 January 2022 at 11:41:48, Didier Kryn wrote:

>      My experience/understanding of fail2ban is that it's intended
> against attackers "smart" enough to periodically change their address.

I don't care whether it's individual attackers who change their address, or
multiple attackers each coming from one address; I use fail2ban to block
anyone who's clearly trying to "get in" or at least abuse my services (email,
SSH, SIP are th emost common I see) by trying some credentials, failing, and
then trying again and failing sufficient times in a short period that it can't
be someone who's supposed to get in.

I have also (like Simon) written my own rule to scan the fail2ban log file
itself, and add repeat offenders to a permanent block list, which also survives
reboots.

The one feature I'd like to see on fail2ban is multi-server communication, so
that if one of my machines has a reason to block an address, it tells all my
others to block that address as well.

> For fix addresses, custom iptables rules was the "simple" way to go. Now
> I guess it's custom nftables rules.

Where do you get the list of fixed address to block?


Antony.

--
The more 'success' you get, the easier it is to be disappointed by not getting
things.
The only difference is that now no-one feels sorry for you.

- Matt Haig

                                                   Please reply to the list;
                                                         please *don't* CC me.