I am looking at number of logs
tail -f /var/log/mail.log
tail -f /var/log/nginx/access.log
What other log should I be checking?
and I see the more or less the same IP addresses populating my log files trying various attempts to gain access …
Would it make as sense (if not please, please let me know why) for the community to collate such IP addresses and BAN them completely from accessing our boxes with firewall rules like “UFW deny from ip_address”?
Maybe have another branch on github collecting offending IP would be good idea?
fail2ban should already attempt to block them (if it is configured to read those logs) @JoshData would know for sure.
Adding the ip address manually to iptables for blocking shouldn’t affect anything tho so long as you know that MIAB/fail2ban/ufw would overwrite it during a reboot:
iptables -A INPUT 1 -s IP-ADDRESS -j DROP
where IP-ADDRESS = the IP in the log
Well Fail2Ban will but only for couple of hours and then you will see those IP’s in the log again …
What would be the way to make the changes permanent (after reboots)?
putting the iptables command in your rc.local file at the bottom just above the exit 0; line.
This topic was automatically closed after 61 days. New replies are no longer allowed.