Aug 7 22:25:37 mail postfix/submission/smtpd: disconnect from unknown[18.104.22.168] ehlo=1 auth=0/1 rset=1 commands=2/3
About every 10 seconds. Different IP address each time; pool of about 7 IP addresses.
Never getting added to the banned list. Am I understanding this wrong? I thought it was automatic?
Thanks for some clarity.
Hi, fail2ban will block connections like that - but only when they reach a threshold number of attempts in a specific time. Presumably that source has tuned its rate to stay under the default threshold.
You could change the thresholds but note: any changes will get overwritten with MIAB updates, and be careful you don’t block legitimate traffic!
Personally, I’ve seen multiple attacks from 22.214.171.124/24 and I blocked the entire subnet I “might” miss out on real email but I’ll take that risk.
So to ask such a noob question, but where do I block the entire subnet? I have a bunch of others from my other email server I would love to block in MIAB too.
I use iptables, this should do the trick. It will disappear on reboot, so you might want to put it in a boot-time script (needs to run as root), or you can just execute it whenever 46.148.40.x are harassing you!
sudo iptables -I INPUT -s 126.96.36.199/24 -j DROP
Thank you for this; it has been very helpful.
Not sure if this will help but to make rules permanent run: iptables-persistent, you may need to install it first.
Take a little care with iptables-persistent. It will restore whatever was in place when the rules were saved, which might include temporary blocks added by fail2ban - blocks that you don’t really want to be persistent!
Instead of iptables you can also use fail2ban-client: For the subnet mentioned by @andrew I run:
sudo fail2ban-client set recidive banip 188.8.131.52/24
This puts the ip/subnet in the recidive jail and blocks everything from there for 7 days (I think). Recidive is a default fail2ban jail, which can be easily used for that.
So I have zero tolerance for these folks. Is there a way I tell fail2ban to just keep them in jail for a year?
AFAIK, only when you create a new jail with a bantime for that year. There doesn’t seem to be an existing jail like this on a default MIAB installation.
But then you are deviating from the default again and might need to redo those changes after a MIAB upgrade.