This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

We hit 100,000 IP's blocked last night from a spam botnet

My firewall has now blocked 100,768 IP addresses from the namecheap.com spam botnet.  These sleazebags have been spamming us 24x7 for over 5 years now.  Not one single spam - NOT ONE - has been delivered to any of my users.

What a waste of internet bandwidth though.  I wish ... bad things to happen to them.



This thread was automatically locked due to age.
Parents Reply
  • vicegod said:

    Huge fan of Fail2Ban.

    I'm assuming you have it running on/with your UTM instance?

    Regards

    Craig

     

     

    Yes, just ssh into UTM and copy the installer with FTP.  It installs into /etc/fail2ban.

    Would you like to share jails and configs?  I think the magic is in the "filter" files.

Children
  • Sure can... I dont use Fail2Ban on the UTM, but on a Centos webserver, I'm assuming the logs are similar.

    So advice for anyone attempting to use Fail2Ban

    First bit of advice... small steps, one at a time. Backup configs, Implement, watch, test, tweak - repeat

    Second bit of advice - drinking beer while you tweak into the night is not advisable.

    Whitelist your servers and your connection/admin IP!!! ( More than likely Sophos IP's for updates etc)

    Activate the sshd filter - whitelist your admin ip's!

    Watching the Fail2Ban log can be "fun" - No1 Tool - tail -f /etc/fail2ban/fail2ban.log

    No2 tool is a testing process for checking logs against regex. You block the wrong stuff and you are screwed. eg Background updates, SSL updates / Server monitors or worse you lock yourself out

    https://www.regextester.com/94338

    This allows a dump of a log segment to test the regex.

    Document and name your filters for easy id.

    These are probably the most active filters I have created - Disclaimer - use at your own risk -

    Test them before to see what they do!

    # hashed out comments are recipes I have created and used at times

    -------------------------

     jail.local:

    [dovecotCraigHack]
    enabled = true
    port    = pop3,pop3s,imap,imaps,submission,465,sieve
    logpath = /var/log/exim_rejectlog
    maxretry = 1

    File Filter "dovecotCraigHack.conf"

    #\[\d+\] dovecot_(?:login|plain) authenticator failed (?:\S* )?(?:\(\S*\)|\S*)? (?:\(\S*\))? (\[\S+\])
    #\[\d+\] dovecot_(?:login|plain) authenticator failed (?:\S* )?(?:\(\S*\)|\S*)? (?:\(\S*\))? (\[<HOST>\])
    #\[\d+\](.*)(\[\S+\])(.*)(\[\S+\])(.*)The account or domain may not exist, they may be blacklisted, or missing the proper dns entries
    #\[\d+\](.*)(\[<HOST>\])(.*)(\[\S+\])(.*)The account or domain may not exist, they may be blacklisted, or missing the proper dns entries
    #\[\d+\](.*)(\[\S+\])(.*)(\[\S+\])(.*)\:25 sender verify fail for(.*)\: No Such User Here\"
    #\[\d+\](.*)(\[<HOST>\])(.*)(\[\S+\])(.*)\:25 sender verify fail for(.*)\: No Such User Here\"
    #\[\d+\](.*)(\[\S+\])(.*)(\[\S+\])(.*)\:25\: 535 Incorrect authentication data
    #\[\d+\](.*)(\[<HOST>\])(.*)(\[\S+\])(.*)\:25\: 535 Incorrect authentication data
    [Definition]
    failregex = \[\d+\] dovecot_(?:login|plain) authenticator failed (?:\S* )?(?:\(\S*\)|\S*)? (?:\(\S*\))? (\[<HOST>\])
            \[\d+\](.*)(\[<HOST>\])(.*)(\[\S+\])(.*)The account or domain may not exist, they may be blacklisted, or missing the proper dns entries
            \[\d+\](.*)(\[<HOST>\])(.*)(\[\S+\])(.*)\:25 sender verify fail for(.*)\: No Such User Here\"
            \[\d+\](.*)(\[<HOST>\])(.*)(\[\S+\])(.*)\:25\: 535 Incorrect authentication data
    ignoreregex =

     

    -------------------------

    jail.local:


    [eximCraigHack]
    enabled = true
    port   = smtp,465,submission
    logpath =/var/log/exim_mainlog
    maxretry = 1

    File Filter "eximCraigHack.conf"

    #\[\d+\] SMTP connection from \[(<HOST>)\]
    #\[\d+\] no MAIL in SMTP connection from \(\[(<HOST>)\]\)
    [Definition]
    failregex = \[\d+\] no MAIL in SMTP connection from (?:\S* )?(?:\(\S*\) )?(\[<HOST>\])
    ignoreregex = 

    -------------------------

     

    Regards

    Craig

  • LMAO, Craig - "Second bit of advice - drinking beer while you tweak into the night is not advisable."

    Thanks for your contributions here!

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • BAlfson said:

    LMAO, Craig - "Second bit of advice - drinking beer while you tweak into the night is not advisable."

    Thanks for your contributions here!

    Cheers - Bob

     

     

    I don't know, some of my best tweaking was done with Guinness.

  • vicegod said:

    [dovecotCraigHack]

    enabled = true
    port    = pop3,pop3s,imap,imaps,submission,465,sieve
    logpath = /var/log/exim_rejectlog
    maxretry = 1

    I started off blocking individual ports like that too, but then I thought why?

    If you attack me, I block you completely.  All ports.  For a minimum of 2 years.