More of a network-related question than really “internet”, but I am sure you guys will have an idea: I am running a NextCloud Server with Fail2Ban because it’s facing the outside world for me to synch… from
I am running a little logalizer called Monitorix on that Raspbian machine, too. This logalizer has a report that highlights “system services demand” which only reports Fail2Ban which ticks up every day from 0 to 8 (so approximately one step every 18 minutes) and I wonder what that means.
Does anyone know? I tried googling it, but this led me to believe that this is more of a Monitorix-specific analysis than something broadly considered important. However, I am always intrigued at sawtooth shaped diagrams.
Excellent - thank you very much for testing this out for me @rah !
I am happy to report that I have an A+ rating on the scan.nextcloud.com (rather: they make great and easy to install software…). Hmm. Wonder what it may be since I don’t have any machines running 24/7 that might cause it.
AHAAAAAAAAAA! Reminds me that I have a phone running 24/7 connected to the server. Maybe I reaches out to synch or say hello or something akin every 20 minutes? I will investigate and report back!
I’m new to both of these tools --and have just installed them – but isn’t this graph just showing that fail2ban runs periodically on your system? Wouldn’t system demand count increase every time it scans the log for failed login attempts?
EDIT: I see now in serv.pm source code of monitorix that it’s looking for “BAN” action from fail2ban. Can you open that log and see what IP addresses(s) it’s banning at such a regular interval?
Perfectly possible! BUT - alas - there is news: logs show (thanks, @PHolder !) that fail2ban logs attempts from a Chinese IP (188.8.131.52) in irregular frequency - but consistently. Now looking for a switch to block that IP permanently.
Looks like this in fail2ban.log:
2020-04-21 19:15:21,920 fail2ban.filter : INFO [ssh] Found 184.108.40.206 - 2020-04-21 19:15:21
2020-04-21 19:15:23,887 fail2ban.filter : INFO [ssh] Found 220.127.116.11 - 2020-04-21 19:15:23
2020-04-21 19:20:19,060 fail2ban.filter : INFO [ssh] Found 18.104.22.168 - 2020-04-21 19:20:18
2020-04-21 19:20:20,855 fail2ban.filter : INFO [ssh] Found 22.214.171.124 - 2020-04-21 19:20:20
2020-04-21 19:25:16,611 fail2ban.filter : INFO [ssh] Found 126.96.36.199 - 2020-04-21 19:25:16
2020-04-21 19:25:18,579 fail2ban.filter : INFO [ssh] Found 188.8.131.52 - 2020-04-21 19:25:18
2020-04-21 19:25:19,008 fail2ban.actions : NOTICE [ssh] Ban 184.108.40.206
2020-04-21 19:35:19,829 fail2ban.actions : NOTICE [ssh] Unban 220.127.116.11
2020-04-21 19:39:39,622 fail2ban.filter : INFO [ssh] Found 18.104.22.168 - 2020-04-21 19:39:39
2020-04-21 19:39:40,645 fail2ban.filter : INFO [ssh] Found 22.214.171.124 - 2020-04-21 19:39:40
In the NextCloud configuration panel, there is a section configuring fail2ban. I changed the banning policy to “permanently ban” by putting the timer to -1. Also: send me notifications if someone acts up! Let’s see how this helps.
If you want to ban these ip’s permanently you could use ipset its a fast and simple way to do it, it will make 1 iptable rule then use a flat text file with your banned ip to load, barley uses any memory or cpu.
Just flat out blocks the ip, now i use a blacklist to block multiple targets like china russia and all the known bad apples that a few people maintain for us.
for example my iptable rule is
iptables -I INPUT -m set --match-set ip-blacklist src -j DROP
ipset flush ip-blacklist
egrep -v “^#|^$” $IP_BLACKLIST | while IFS= read -r ip
ipset add ip-blacklist $ip
If you look I do have some of the list commented out because they were gone or not working for me.
so it will block tons of ip something like 45000 lines in the file and there are some /16 and /24 networks within it so do a little reading on ipset and i think it will be what your looking for, btw you dont have to use any script to load if you wanted to just add a few to a list its as simple as ipset add ip# yourblacklist name.
yes I see your point and agree, now in my case i run that when i think about it like a few times a year, so there is always a reboot (kernel update) in between. and i did some diff on the results a few years back and really not a lot of changes for me to run it all the time, plus with fail2ban running and have a script to parse that log file of bans to add to my ipset bans i pretty covered anyway dont have ssh open its mostly just for bad web attacks.
Nice catch that never came to mind the var would be holding and can cause a problem.
Can you blacklist it at your firewall? Not letting it in, past your perimeter is always the best course of action.
Also, unless you are planning to travel to those areas (or have friends there you want to share with), I’d look at blocking China completely, along with the IP-blocks for Russia, North Korea, Iran and possibly Israel, although the last one probably isn’t very interested in you as an individual.
In fact, it would probably be easier to just white list the local ISP and your mobile provider(s), possibly your place of work, if you are allowed to access it from there. Whitelisting is always the safer bet, if you can.
I was always a fan of port knocking, in theory, although I’ve never actually tried that for a practical service. For a service that is just supposed to be used by me, I like the idea of blocking everyone who can’t do the port knock.
Excellent point, too! I will have to look into that. I tried iptables before but usually screwed something up so that I ended up reverting to the standard perceived safety provided by the router box. However, if I start poking holes into that, its painfully obvious that I should do something to guard the “system behind the poked hole” better. Good point!
Yes, also in conjunction to what @big_D said above - makes sense.
Probably overkill for most people, but I use the VLAN capabilities of the Unifis and the Zyxel to split out the traffic to dedicated networks E.g. management interfaces, general traffic, VOIP traffic, IoT traffic, WLAN and guest WLAN.
Yeah, sounds interesting. To be honest, I am toying with the idea of moving “everything” to the cloud and simply getting rid of the Raspberrys, disks, additional network equipment. Sure, it is fun - but I begin to realise the inefficiency and negative impact on IT security of my limited skill and attention. Plus: less energy wasted and a board in the cabinet won back… Not to go needlessly negative, simply to consider: have the admin stuff done by actual admins. Then again, I have a feeling that I’d just move the stuff to the basement and, six months later, bring it back up again to once again play admin for my five files. It is a fun hobby. That’s what golfing must feel like, just sitting down.
That image is interesting. It looks like you are running NexcloudPi. I do not have those options in the Nextcloud installed from Nexcloud. I installed all manually, Raspbian, LAMP stack, Nextcloud, Fail2ban, Lets Encrypt etc. I can’t remember why I did not go the NextcloudPi route now, there was a reason. I like the Fail2ban and UFW integration showing in your screen grab.