Too many of the same 'found' in fail2ban log

My YunoHost server

Hardware: VPS bought online
YunoHost version: 4.2.4
I have access to my server : Through SSH | through the webadmin
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no

Description of my issue

I get a lot of fail2ban logs from the same ip(6). It seems worrysome and I cannot see what fail2ban acutally does with this.

• Fail2ban has ‘found’ it, has it been banned too?
• Can I permanently ban this ip?
• Can I see if it is banned at all?
• Can I disable the ipv6 stuff completely?
  YH diagnose keeps telling ports 25 and 587 are ‘not reachable from outside in ipv6’. I’m not behind a router (vps) or anything and provider says they’re not blocking anything. So it may be a different issue alltogehter (but I don’t really care about receiving mail from ipv6, since I doubt I’d ever miss even one message).

I looks like it makes two attempts every 15 minutes:

2021-05-23 11:12:26,291 fail2ban.filter         [828]: INFO    [dovecot] Found 2a02:a45c:8bfa:1:d0b0:2173:b2e5:a24a - 2021-05-23 11:12:26
2021-05-23 11:12:32,435 fail2ban.filter         [828]: INFO    [dovecot] Found 2a02:a45c:8bfa:1:d0b0:2173:b2e5:a24a - 2021-05-23 11:12:32
2021-05-23 11:27:23,338 fail2ban.filter         [828]: INFO    [dovecot] Found 2a02:a45c:8bfa:1:d0b0:2173:b2e5:a24a - 2021-05-23 11:27:23
2021-05-23 11:27:29,360 fail2ban.filter         [828]: INFO    [dovecot] Found 2a02:a45c:8bfa:1:d0b0:2173:b2e5:a24a - 2021-05-23 11:27:29
2021-05-23 11:42:25,161 fail2ban.filter         [828]: INFO    [dovecot] Found 2a02:a45c:8bfa:1:d0b0:2173:b2e5:a24a - 2021-05-23 11:42:25
2021-05-23 11:42:31,303 fail2ban.filter         [828]: INFO    [dovecot] Found 2a02:a45c:8bfa:1:d0b0:2173:b2e5:a24a - 2021-05-23 11:42:31
2021-05-23 11:57:23,216 fail2ban.filter         [828]: INFO    [dovecot] Found 2a02:a45c:8bfa:1:d0b0:2173:b2e5:a24a - 2021-05-23 11:57:23
2021-05-23 11:57:29,357 fail2ban.filter         [828]: INFO    [dovecot] Found 2a02:a45c:8bfa:1:d0b0:2173:b2e5:a24a - 2021-05-23 11:57:29
2021-05-23 12:12:23,604 fail2ban.filter         [828]: INFO    [dovecot] Found 2a02:a45c:8bfa:1:d0b0:2173:b2e5:a24a - 2021-05-23 12:12:23
2021-05-23 12:12:29,513 fail2ban.filter         [828]: INFO    [dovecot] Found 2a02:a45c:8bfa:1:d0b0:2173:b2e5:a24a - 2021-05-23 12:12:29

Ah I see

I guess Fail2ban doesn’t ban it because the attacker purposely stays under the limit (2 attempt every 15 minutes but the treshold is something like 10 attempt in 10 minutes) so it never triggers a ban from fail2ban

But if that can reassure you, if you’re only able to try 1 password every 7.5 minutes, bruteforcing is gonna take a looooooooooooooong time apart if you some very stupid password like “test” for user “test”. The biggest thing the attacker is achieving is as you saw filling logs with stupid stuff and scaring the admin.

I guess you could ban this specific IP, but considering this is IPv6, the attacker probably can use a slighly different IP very easily so idk if that’s worth trying it…

I think the better thing to do could be to tweak yunohost’s fail2ban conf which should be at something like /etc/fail2ban/jail.conf.d(?)/yunohost-jails.conf and should look like this: yunohost/yunohost-jails.conf at dev · YunoHost/yunohost · GitHub

Here, you can try to add these two lines in the dovecot section to tweak the findtime and related settings:

maxretry = 10    # this is the default
findtime = 6000  # 100 minutes (instead of 10 by default)
bantime = 6000   # 100 minutes (instead of 10 by default)

Thanks a lot! I realise it wouldn’t have much of a chance guessing the password like this, but I changed the settings nonetheless. I use a password manager and have mail clients configured so the chances of me typing the wrong password more than once or twice is slim. And if I do, I deserve to banned

Change for ssh port.
Use this to trap the attackers on port 22. GitHub - skeeto/endlessh: SSH tarpit that slowly sends an endless banner

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.