Fail2Ban - Protecting Our Systems

Services / Servers

In the past people’s emails was compromised by password cracking hackers. So when I’m setting up new services I’m creating fail2ban scripts for all services:

This includes background services such as these:

  • ssh access for our services
  • pop3
  • smtp

But I’ve also added it to web logins on our services:

#Fail2ban works like this

For most of these if you have a failed login more than 6 times within 10 minutes your IP will be blocked for an hour. In the case of wind and webmail logins it doesn’t matter if the login worked or not. It will block your ip for an hour. This is because it’s not possible to code checking for failed logins for web-based logins. Blocking means you won’t be able to access the service at all. I.e. the website won’t even load up any more.

Furthermore if a particular IP get’s blocked repeatedly for multiple times in a day it will be banned for a week. At this point it should also email the comms though this is not working as yet for the server wind is on.

I have seen a handful of logins on WIND being blocked. And people seemed to come back from it.

If this happens to you, don’t take it personally. Just come back later. I know remembering passwords is a chore. A clue that this happens to you is that if you repeatedly try to login to a service and then suddenly the connection just gets refused. If you refresh the login page and it doesn’t refresh is another clue. This is to protect your data and to ensure our services stay up and running.

Brute Force Logins on Radius Routers

We have brute-force login protection WUG wide on routers running WMS with radius.

6 failed login attempts within 10 minutes into a such a router will result in the source IP being null routed (blackholed) wug wide for an hour. If this repeats in a 24h period a longer blackhole will be implemented. This is also likely to lead to some uncomfortable questions from the committee.

The 6 attempts is counted across routers. So 6 failed logins across different routers within 10 min will also lead to a ban & blackhole.

I believe this should catch 99% of the broad based attacks we’ve seen. This does not cover all routers though. This is a safety measure and does not protect us from bad security practices such as users without passwords etc.

If you suspect you’ve been accidentally blackholed by this:

  1. Please check if you can reach any ospf rb. If you cannot then it might be the case.
  2. Check https://chat.ctwug.za.net/channel/security to see if your IP is listed there. Wait there for a message that it is unbanned.
  3. Wait an hour and carefully try logging again.

Using Avast?

It contains a module called “Wifi Inspector”. This does a series of logins on routers on your network to test for weak passwords. If one of those routers are running radius your IP will be blocked as this will be observed as a brute-force attack.

Please disabled this function or do not use it when you have OSPF/WMS/radius routers on the same network as your PC.

Internet IPs in the OSPF routing table

Sometimes the scripts get triggered by internet IPs. Guys from internet trying to log into routers that run radius. So this script also blocks these and distributes a null route on these. It was not the intention to null route internet IPs on the wug but when I saw it happening I though we may as well leave it. It might just provide further protection should that guy try to log into another CTWUG system.

Tracing to that should stop at the nearest services tunnel. If you feel your internet is being blocked by this we can remove it, but if you really want to connect someone who is actively trying to hack a router then your mind should be read :slight_smile:

SMB Port Scanning (associated with various viruses like WannaCry)

I’ve implemented automatic blackholing of IPs that scan SMB ports on certain hosts. Any packet received on those ports will result in the source IP being null routed (blackholed) across CTWUG . If you are scanning on such ports you are either infected by a virus or trying to find insecure shares. Either way you will be blackholed.

If you suspect you’ve been blackholed by this:

  1. Please check if you can reach any ospf rb. If you cannot then it might be the case.
  2. Check https://chat.ctwug.za.net/channel/security to see if your IP is listed there. Wait there for a message that it is unbanned.
  3. Consider scanning all your PCs firewalls for WannaCry and similar.
3 Likes

Can confirm this works :stuck_out_tongue:

1 Like

Thanks spin for activating this feature it is smart and will stop hackers cracking passwords and entering other users accounts.Thanks again

                                                                            joelcedras
2 Likes

Updated the first post to reflect changes made to protect our radius server.

1 Like

Moved to first post.

6 Likes

Updated first post with Avast info.

Updated the first post with SMB port scanning protection details.

Added an explanation why we sometimes see internet IPs in the routing table in the first post.

3 Likes