Long story short I setup my first MIAB and everything was running great for about 2 days. Then someone figured out my password and was able to spam out messages for about 17 minutes before I was able to get back to a computer and put a stop to it.
Since then I have changed passwords, enabled 2fa on the control panel, and setup a very strict firewall. But now I have almost an entire class C network still trying to break back into the box. So a few days ago I modified the ban time to a full day and that has slowed them down a bit but I am wondering if there is a way to just permaban an entire class c?
What would you guys and gals do in this situation? I dont think these people are going to stop since they had a successful 17 minutes of sending spam. Its been 4 days now and they are still trying to access the admin account.
Increasing the bantime is fine up to a certain point (I even set it to 7 days on some of my servers), but too many blocked IP addresses in Fail2Ban increases the system load, which will eventually lead to performance issues, so I would strongly advise against using -1.
Also, you may end up blocking legitimate users or yourself indefinitely, which can lead to administrative overhead, or in the worst case (if you’re doing this with SSH), permanently locking yourself out.
If you want to block certain IP ranges permanently, you could use the UFW:
sudo ufw insert 1 deny from XXX.XXX.XXX.XXX/24
insert 1 puts the rule at the top of the chain in order to override the more general allow rules.
Or you could use your VPS provider’s firewall, if they provide one, in which case requests from the blocked IP ranges won’t be able to reach your server at all.
Awesome advice and I appreciate it! I changed some of the man times from 1 day to a full 7 like you suggested. Also, this box only serves me right now so I currently don’t have to worry about anyone else’s emails getting hacked.
Thank you again for commenting. It’s going to be nice looking at cleaner log files now. hehe
