Blocking servers probing for authentication credentials
Sometimes you need to block a server that is repeatedly probing your server, trying to brute-force crack authentication details.
As a quick short-term fix, the easiest way to block them is simply to block them with the firewall:
iptables -I INPUT -s 1.2.3.4 -j DROP
Using DROP rather than REJECT will give them delays, causing maximum inconvenience.
However, this firewall rule will be lost on reboot and you’ll have to keep checking the log files for other attacks.
For a longer term solution, install fail2ban. This will monitor the log files for failed login attempts on various services and automatically add them to your firewall rules for you.
apt-get install fail2ban
On debian, this is pretty much configured as you want. All you need to do is edit /etc/fail2ban/jail.conf to add your IP addresses to the ignoreip whitelist and enable the services that you want it to keep an eye on (ssh is already enabled).
Add to whitelist:
[DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host ignoreip = 127.0.0.1/8 1.2.3.4 bantime = 6000 maxretry = 3
Enable Postfix:
[postfix] enabled = true port = smtp,ssmtp filter = postfix logpath = /var/log/mail.log
It’s a good idea to also enable it for POP, IMAP and FTP as well.
To remove IP addresses from the banned list (when a valid user has tried too many times), you need to run ipchains as root:
iptables -D _chain_ -s _ip_address_ -j DROP
Where _ip_address_ should be replaced with the address that is blocked and _chain_ should be replaced with the appropriate chain. e.g. fail2ban-dovecot or fail2ban-postfix or fail2ban-ssh