Habe mir vor vielleicht 15 Minuten einen Filter für #fail2ban gebaut, der AI-Bots blockt, als User agents habe ich die von https://raw.githubusercontent.com/ai-robots-txt/ai.robots.txt/refs/heads/main/robots.txt genommen.
Kraß. 15 Minuten, die Liste der geblockten IPs sieht so aus

149.71.242.33 155.254.45.162 17.241.219.133 47.128.43.213 17.241.227.52 47.128.44.193 47.128.125.202 47.128.125.21 47.128.34.51 47.128.40.26 47.128.33.50 17.22.245.86 17.22.253.67 17.22.237.105 17.22.253.89 17.22.237.92 17.22.245.44 17.22.253.179 17.22.245.10 17.22.253.16 17.22.245.204 17.22.253.54 17.22.237.180 17.22.245.73 17.22.253.118 17.22.253.96 17.22.253.252 17.22.237.150 17.22.237.4 17.22.237.157 17.22.245.142 17.22.253.120 17.22.245.112 17.22.237.182 144.76.183.254 47.128.34.102 17.246.19.132 17.246.23.22 17.246.15.237 17.246.23.151 17.246.23.16 17.246.15.183 17.246.19.241 17.246.19.68 17.246.19.52 47.128.54.11 47.128.26.42 47.128.38.197 47.128.53.186 47.128.38.111 17.241.227.145 47.128.49.106 47.128.61.36 20.171.206.69 185.181.120.2 47.128.114.220 47.128.29.139 20.171.206.122 20.171.206.243 78.46.42.69 47.128.126.153 47.128.16.158 47.128.34.109 17.241.75.102 47.128.124.170 47.128.38.3 17.22.245.15 17.22.245.99 17.22.253.150 17.22.237.17 17.22.237.64 17.22.237.175 17.22.253.83 144.76.32.137 47.128.27.20 47.128.51.166 47.128.58.0 47.128.55.38 47.128.44.142 17.241.227.244 17.241.75.45 17.241.227.218 17.241.75.4 17.241.75.229 17.241.219.85 17.241.227.233 17.241.227.135 17.241.219.46 17.241.219.143 17.241.219.172 20.171.206.138 47.128.55.169 47.128.45.143 20.171.206.58 20.171.206.234 20.171.206.187 47.128.29.185 20.171.206.91 20.171.206.231 20.171.206.17 20.171.206.135 17.241.227.235 17.246.23.100 176.9.2.28 47.128.52.119 47.128.99.101 17.241.75.91 17.246.19.49 17.246.15.124 17.246.23.42 17.246.23.177 17.246.15.143 17.241.219.162 17.246.19.33 17.246.15.175 17.246.15.28 17.246.19.114 17.246.23.169 17.246.15.195 17.246.19.5 17.246.19.30 17.246.23.92 17.246.19.77 17.246.23.225 17.246.15.148 17.246.23.77 17.246.23.194 17.246.15.39 17.246.19.94 17.246.15.152 17.246.15.210 17.246.19.87 17.246.15.6 20.171.206.241 20.171.206.228 20.171.206.82 20.171.206.126 47.128.26.36 17.241.227.120 17.241.227.134 17.241.227.41 17.241.75.172 17.241.227.75 17.241.75.113 17.241.227.15 17.241.75.219 17.241.219.212 17.241.227.59 17.241.219.79 17.241.219.4 17.241.227.170 17.246.15.157 17.246.15.126 17.246.19.46 17.246.23.65 17.246.23.138 17.246.19.82 17.22.253.175 17.22.245.66 17.22.245.157 17.22.253.132 47.128.61.126 47.128.31.241 47.128.49.23 47.128.58.167 17.241.219.243 17.241.75.78 17.241.227.44 47.128.110.169 17.22.253.27 17.22.245.130 17.22.245.132 17.22.253.174 17.22.237.31 17.22.253.140 17.22.237.88 47.128.111.8 17.241.219.240 17.246.19.144 17.246.23.207 17.246.15.81 17.246.19.154 17.246.23.192 17.246.23.160 17.246.15.9 17.246.19.134 17.246.19.126 17.246.19.202 17.246.23.199 17.246.23.127 17.246.15.36 17.246.15.72 17.246.19.24 17.246.23.217 17.246.23.219 17.246.23.228 17.246.19.18 47.128.41.103 47.128.56.103 47.128.51.159 47.128.22.197 47.128.114.225 47.128.113.142 47.128.34.182 47.128.28.71 47.128.27.141 17.241.219.181 47.128.117.196 17.241.227.106 17.241.75.212 17.241.219.185 47.128.44.26 47.128.29.151 17.22.253.72 17.22.253.189 17.22.237.249 17.22.253.40 17.22.245.9 17.22.245.125 111.225.149.158 110.249.201.69 47.128.58.49 47.128.114.28 17.241.227.11 47.128.19.93 47.128.99.141 154.3.178.245 45.61.91.52 94.130.37.183 47.128.117.193 17.241.75.120 17.241.227.113 17.241.75.86 17.241.75.85 17.241.75.112 17.241.75.83 17.241.75.244 17.241.219.245 17.241.227.167 17.241.227.209 17.241.219.198 17.241.227.254 17.241.75.74 17.241.75.22 17.241.219.11 17.241.219.252 17.241.227.132 17.241.227.35 17.241.219.31 17.241.227.189 17.241.219.9 17.241.219.87 17.22.245.57 17.22.245.53 17.22.237.204 17.22.253.35 17.22.237.12 17.22.245.174 47.128.51.126 47.128.125.203 47.128.53.250 47.128.46.248 95.217.84.249 47.128.38.214 17.241.75.234 17.22.237.15 17.22.237.111 17.22.253.196 17.22.245.183 17.22.245.215 17.22.253.241 17.22.253.102 17.22.237.63 17.22.253.37 17.22.253.210 17.22.253.148 17.22.237.61 17.22.253.41 17.22.245.201 17.22.253.38 17.22.253.91 17.22.237.25 17.22.245.237 17.22.253.85 17.22.253.25 17.22.237.89 17.22.253.188 17.22.245.168 17.22.245.63 17.22.237.135 17.22.245.87 47.128.19.166 2a03:2880:13ff:3::face:b00c 2a03:2880:13ff:21::face:b00c 2a03:2880:13ff:1e::face:b00c

Und das auf meinem wirklich unwichtigen privaten Webserver.

I've been using CrowdSec for a few weeks now and it's pretty good, if occasionally a little rough round the edges. I particularly like the console which gives nice visualisations and stats on attack types, countries, ASNs, targets and so on. Dual running with fail2ban, CrowdSec didn't miss any of the usual SSH brute force attempts (in fact it seems to pick up more, out of the box) and the shared community blocklist (currently 11k IPs) is a killer feature.

I haven't turned off fail2ban entirely only because CrowdSec doesn't yet have collections for exim and sendmail - if nobody else adds them I might contribute them myself when time permits. However there's-out-of-the-box setup for lots of other common server apps. The installer does a reasonable job of detecting what's running and configuring it for you on first install, and you can install more collections with a single command.

It's worth remembering to update collections from the hub regularly as new attack detections are periodically added. That's just a couple of commands with cscli, the provided CLI client, which is the main way of seeing what it's doing and configuring it. I've made a few manual tweaks to the config (YAML) to match my setup (log file locations, and ignoring my own IPs for safety) and that's it.

#CrowdSec #fail2ban #sysadmin

CrowdSec, the open-source & collaborative IPS

CrowdSec is an open-source and collaborative IPS leveraging the crowd power. Analyze behaviors, respond to attacks & share signals across the community. Let's make the Internet safer, together.

CrowdSec - The open-source & collaborative IPS

The quantity of pre-detected IPs which are identified as aggressive & dangerous has increased dramatically as CrowdSec continues to be put into use by more and more individuals and organisations.

CrowdSec is OpenSource, free and also offers professional services for organisations which feel they need to pay in order for OpenSource to be OK to use.

Collaborative Security

"Our strength comes from our cybersecurity community that is burning cybercriminals’ anonymity. By sharing IP addresses that aggressed you, you help us curate and redistribute a qualified IP blocklist to protect everyone."

https://crowdsec.net/

#security #privacy #WordPress #Drupal #Internet #OpenSource #CrowdSec #server #protection #Fail2Ban

CrowdSec, the open-source & collaborative IPS

CrowdSec is an open-source and collaborative IPS leveraging the crowd power. Analyze behaviors, respond to attacks & share signals across the community. Let's make the Internet safer, together.

I have a #question about #fail2ban, #YunoHost and #SSH, of course running on a #Linux host.

I get this diagnosis mail daily (or more frequent) with failed login attempts via SSH (see message below), I think it is not unusual to have many failed login attempts, I checked fail2ban is running. On other servers I get one failed login per second, I don't run fail2ban on these (as I don't give a fuck, hackers can just switch through #tor circuits to get not banned).

So I also run some #Tor exit and the SSH login attempt with wrong user/password is the most common abuse complaints I get there. (Note: Please do not send out abuse complaints for this or filter out Tor Exits, there is blacklists that contain all Exits. It is just your ticket system talking to my ticket system offering to block access to your servers IP, which would not help to solve your problem anyway)

So what do I do about the failed logins, why is Yunohosts threshold so low that it complains about that?

Should I switch to a not standard port? Login by SSH is only allowed key based, so guessing the password would not work.

What do I do?

Message:

[WARNING] There's been a suspiciously high number of authentication failures recently. You may want to make sure that fail2ban is running and is correctly configured, or use a custom port for SSH as explained in https://yunohost.org/security.