After my last experience, I checked my logs and noticed quite a load of failed attempts on my mail server. It looks like a brute force script kiddie attack, which I’m pretty sure will fail on my machine.
Still, I want to kick out these morons. So after some research, I found fail2ban. The installation was simple enough, and with a little bit of configuration (in jail.local, not jail.conf!) I had it up and running… but the attacks continued.
I wrote a simple perl one-liner to parse out all of the failed login attempts, run them through sort and uniq to get the repeat offenders (twice is enough, kids) and append that to the hosts.deny. That worked, but not ideal. I’d rather have iptables-level blocking (using DROP instead of REJECT to waste as much of their time as possible). But fail2ban wasn’t catching them for some reason.
I set up a secondary rule and it still failed – until I discovered fail2ban-regex! With that command you can test your rules at any time instead of waiting for the next attempt to come in. Great! It turns out the regex wasn’t quite right for the messages I was getting. I simplified the regex until it caught the failures. But it still wasn’t working live. Grr.
fail2ban works on log files. It scans for repeated attempts to determine if there’s an attack going on. This would work great unless the logging daemon compresses the messages with something like “last message repeated x times”. And this happens a lot, especially when under attack and you actually need it! You can not turn this feature off with sysklogd. The last key was to replace sysklogd with syslog-ng and POW, the banstick came out to play.
Debugging wasn’t very easy, because the failures are silent. Until I found fail2ban-regex I had about 4-8 hours between tweaks to the regex to see if it worked.
At least now I have a self-setting ban trap that uses iptables-level blocking.
If you’re reading this and you’re learning to be a script kiddie, you are learning to be a loser. You are creating nothing of value. You could vanish from the Internet and not only would it become a better place, but the situation would improve. Is that really what you want? Instead, why not keep on learning about security but do this the right way, on your own machine or a VM and learn to strengthen the Internet, not ruin it. You might actually be actually appreciated and valued by others on the net.
Leave a Reply
You must be logged in to post a comment.