Dave Robinson<p>Don't believe everything you find on the Internet. Even well-intended stuff can contain serious flaws...<br><br>I was wondering why my <a href="https://europhiles.uk/tags/gotosocial" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GoToSocial</span></a> Fediverse feed was a bit quiet, and why no one was engaging with any of my posts. I assumed it was because I had nothing useful to say, as usual. However, it turned out that over the past week or so the <a href="https://europhiles.uk/tags/fail2ban" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Fail2Ban</span></a> regex I'd added was quietly and steadily blocking other ActivityPub servers. The lights were going out!<br><br>I have now concocted my own regular expression based on the official documentation ( <a href="https://docs.gotosocial.org/en/v0.19.1/advanced/security/firewall/" rel="nofollow noopener" target="_blank">https://docs.gotosocial.org/en/v0.19.1/advanced/security/firewall/</a>), but adapted to cope with the JSON logs generated by Caddy. That will teach me to be lazy.</p>
toad.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
Mastodon server operated by David Troy, a tech pioneer and investigative journalist addressing threats to democracy. Thoughtful participation and discussion welcome.
Administered by:
Server stats:
270active users
toad.social: About · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.4.1
#fail2ban
2 posts · 2 participants · 0 posts today
Elena Rossini on GoToSocial ⁂<p>Me right now: studying the ins and outs of <a href="https://aseachange.com/tags/docker" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Docker</span></a>, ports exposure, firewalls and <a href="https://aseachange.com/tags/tls" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TLS</span></a>.</p><p>I’ve got a brand new VPS (on Hetzner) that for now only has <a href="https://aseachange.com/tags/fail2ban" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Fail2Ban</span></a> on it.</p><p>Let’s see when I’ll feel confident (reckless?) enough to install <a href="https://aseachange.com/tags/docker" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Docker</span></a> on it 😅</p><p>This time I learned my lesson and I’m only paying month-by-month. And I’ve got many thoughts about what went down yesterday that I may share in a blog post soon.</p><p>Thanks for all your supportive messages ❤️ I hope my public fumbles are useful to fellow <a href="https://aseachange.com/tags/selfhosting" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>selfhosting</span></a> newbies 🥲</p><p><a href="https://aseachange.com/tags/mysocalledsudolife" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MySoCalledSudoLife</span></a> <a href="https://aseachange.com/tags/sudomaimparo" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SudoMaImparo</span></a></p>
Elena Rossini on GoToSocial ⁂<p>:alert: MAJOR Plot twist! :FireDumpster:<br><br>I'm sure you're having a better morning than me because I was greeted with an email from <a href="https://aseachange.com/tags/ovh" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OVH</span></a> (the VPS provider) that started with "Hello Mr. Rossini" and informed me that the VPS was stopped because they suspected a hack - and it will be permanently deleted. "Now let us know Mr. Rossini if you'd like to purchase a new VPS plan."<br><br>30 Euros* for 4 hours of VPS experimentation with Docker! YAY (not!)<br><br>(*30 Euros corresponded to a 6-month plan, sigh)<br><br>I received ZERO advanced warnings... <a href="https://aseachange.com/tags/ovhcloud" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OVHCloud</span></a> simply deleted my VPS because of "unusual activity" and proposed I buy a new one.<br><br>I had installed <a href="https://aseachange.com/tags/fail2ban" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Fail2Ban</span></a> on it first thing yesterday morning, but I suppose changing 0.0.0.0 with my VPS's IP4 address in one of the Docker settings... to connect it to Docker GUI did it for me.<br><br>You live, you learn.<br><br>I will stay away from OVH Cloud.<br><br>(Yes I had tried creating an account with Hetzer and NetCup before but they had a convoluted signup process and wanted too much personal info/docs, so I had given up and turned to OVH. My bad).<br><br>What will I do now?<br><br>Find a new VPS provider.<br><br>Feeling salty about the 30 Euros I spent for 6 months with OVH but honestly I feel like I dodged a bullet. I had nothing installed on the VPS, except for Fail2Ban and basic Docker. Imagine how catastrophic it would have been if they had deleted my VPS without warning if I had important stuff on it! Shivering at the thought.<br><br>Onwards and upwards, more humble than ever, with infinite respect for sysadmins 🙏<br><br><a href="https://aseachange.com/tags/mysocalledsudolife" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MySoCalledSudoLife</span></a> <a href="https://aseachange.com/tags/n00b" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>N00b</span></a></p>
Elena Rossini on GoToSocial ⁂<p>Dear Fedi friends,<br><br>Sometimes it's good to know when you need to call it a day. Today I ended my <a href="https://aseachange.com/tags/sudo" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>sudo</span></a> exploits at 10:00am... I'm mentally exhausted already... but happy about the progress I made.<br><br>I started tinkering with my new VPS at 7:30am and managed the following tasks:<br><br>- installed <a href="https://aseachange.com/tags/fail2ban" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>fail2ban</span></a><br>- installed <a href="https://aseachange.com/tags/docker" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Docker</span></a> and checked if it was running successfully with their "hello world" method (it does)<br>- enabled remote access changing the listening port<br>- secured the connection with TLS<br><br>I wasn't able to create a new Docker context on Docker Desktop to point to my VPS... I ran into error messages about having to include certificates (with the right path)... so I decided to call it a day.<br><br>I wanted to end my Day 1 of Docker explorations on a good note.<br><br>I plan on writing about this on my blog later today so I can refer back to the steps later... when I actually install Docker on my VPS running Ghost.<br><br>Onwards and upwards (it's very apt that "sudo" in Italian means "I sweat" LOOOOL)<br><br><a href="https://aseachange.com/tags/mysocalledsudolife" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MySoCalledSudoLife</span></a> <a href="https://aseachange.com/tags/selfhosting" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>selfhosting</span></a> <a href="https://aseachange.com/tags/newbie" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>newbie</span></a><br><br></p>
daltux<span class="h-card"><a href="https://mastodon.chuggybumba.com/users/thanius" class="u-url mention" rel="nofollow noopener" target="_blank">@thanius@mastodon.chuggybumba.com</a></span> <span class="h-card"><a href="https://social.anoxinon.de/users/Codeberg" class="u-url mention" rel="nofollow noopener" target="_blank">@Codeberg@social.anoxinon.de</a></span> What if we set up a <a href="https://snac.daltux.net?t=fail2ban" class="mention hashtag" rel="nofollow noopener" target="_blank">#fail2ban</a> jail on HTTPd logs (how would we do this?) to block them, rather than consuming more costly CPU and network resources to generate and send the trap file? Would this be a viable solution? 🧠💭<br><br><a href="https://snac.daltux.net?t=brainstorming" class="mention hashtag" rel="nofollow noopener" target="_blank">#brainstorming</a> <a href="https://snac.daltux.net?t=idea" class="mention hashtag" rel="nofollow noopener" target="_blank">#idea</a> <a href="https://snac.daltux.net?t=robots" class="mention hashtag" rel="nofollow noopener" target="_blank">#robots</a><br>
spla<p>Des de les 7 de la tarda d'ahir, <a href="https://mastodont.cat/tags/fail2ban" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>fail2ban</span></a> està bloquejant automàticament totes les IPs de bots xafarders, no només Amazonbot. Ara mateix ja ha bloquejat un total de 1.171 IP, bloqueig actiu de 327. <br>Edito: cap robot obté res de mastodont.cat, només "veuen" que s'ha interromput la connexió gràcies a una configuració específica de nginx (el programari que serveix continguts).</p><p><a href="https://mastodont.cat/tags/scraping" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>scraping</span></a> <a href="https://mastodont.cat/tags/BotsXafarders" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BotsXafarders</span></a></p>
ShawnT 🐀<p>```bash<br>root@machine:/etc/fail2ban/jail.d# fail2ban-client status sshd<br>Status for the jail: sshd<br>|- Filter<br>| |- Currently failed: 2<br>| |- Total failed: 141649<br>| `- File list: /var/log/auth.log<br>`- Actions<br> |- Currently banned: 16<br> |- Total banned: 35247<br> `- Banned IP list: YOU KNOW WHO YOU ARE<br>```<br>It's the little things the make life safer against the background radiation of the Internet. Always use <a href="https://mastodon.coffee/tags/fail2ban" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>fail2ban</span></a>, even if it's cranky.</p>
ppom<p><a href="https://mamot.fr/tags/reaction" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>reaction</span></a> v2.2.0 is released!</p><p>Two big new features:<br>- Full IP support (built-in regex, ip ranges, different actions on IPv4 and IPv6...)<br>- Options for action deduplication</p><p>See the release for a more detailed changelog:<br><a href="https://framagit.org/ppom/reaction/-/releases/v2.2.0" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">framagit.org/ppom/reaction/-/r</span><span class="invisible">eleases/v2.2.0</span></a></p><p><a href="https://mamot.fr/tags/reaction" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>reaction</span></a>-rust <a href="https://mamot.fr/tags/rust" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rust</span></a> <a href="https://mamot.fr/tags/fail2ban" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>fail2ban</span></a></p>
House Panther :verified_paw:<p>I really hate the assholery out there on the <a href="https://goblackcat.social/tags/interwebs" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>interwebs</span></a>. If it weren’t for <a href="https://goblackcat.social/tags/fail2ban" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>fail2ban</span></a>, I’d be facing even more aggressive daily denials of service attacks. I get these periods of times where shit slows down to a crawl and I get these random attacks. I’m almost certain that they’re happening on the SSH and WireGuard ports. Yes, changing the SSH port to a non-standard port does help some and I think I am going to do that when I get home to mitigate this somewhat. But it will be only a matter of time before a port scanner discovers the new SSH port and alerts the bots to the new port. I’m sure that the bots are also trying to attack WireGuard. WireGuard is damn near impossible so the bots are simply just trying to be assholes for the sake of breaking <a href="https://goblackcat.social/tags/Mastodon" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Mastodon</span></a>.</p><p>It wouldn’t surprise me if the Twitter, X, or whatever flavor of the month fuckers were behind it. WireGuard keeps no logs so I have no idea. I’d have to do a <a href="https://goblackcat.social/tags/wireshark" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>wireshark</span></a> and see what IP addresses are trying to break WireGuard. Bottom line is I think I need some more advanced routing capabilities. </p><p>I may look into adding <a href="https://goblackcat.social/tags/ZenArmor" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ZenArmor</span></a> to my defensive tools. ZenArmor offers deep packet inspection. This would allow a little bit smarter blocking of the bots based on their traffic signatures. This way I whatever gets through the geoblocking, could potentially get nailed by ZenArmor. Then what gets missed by ZenArmor will get cleaned up by fail2ban. I’ll have to see how difficult ZenArmor is to configure. If it’s going to be a bitch, I’ll replace <a href="https://goblackcat.social/tags/AlmaLinux" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AlmaLinux</span></a> on my VPS with <a href="https://goblackcat.social/tags/OPNsense" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OPNsense</span></a>, a true router/firewall.</p>
House Panther :verified_paw:<p>I am having a lot of fun with <a href="https://goblackcat.social/tags/fail2ban" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>fail2ban</span></a>. Since all of my <a href="https://goblackcat.social/tags/ssh" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ssh</span></a> authentication is done through ssh keys, I've set the failure threshold to 0. So that means as soon as the failure occurs, the IP address is blocked. I've noticed that the combination of geoblocking and setting the failure threshold to 0, the assholery is lessening. I guess the bots aren't even bothering.</p>
𝕂𝚞𝚋𝚒𝚔ℙ𝚒𝚡𝚎𝚕<p><span class="h-card" translate="no"><a href="https://other.li/@monkee" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>monkee</span></a></span> mMn sind viele (vor allem die alten) auch sehr plump und schutz geht auch anders und <a href="https://chaos.social/tags/fail2ban" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>fail2ban</span></a> ist ja schon mal ein anfang – DIE lösung habe / kenne ich noch nicht ausser die oben erwähnten.</p>
LovesTha🥧<p><a href="https://floss.social/tags/SelfHosting" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SelfHosting</span></a> question: when hosting a bunch of services on the same box (say all in docker containers), do you do <a href="https://floss.social/tags/fail2ban" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>fail2ban</span></a> in each containerised service or globally on the host?<br><a href="https://floss.social/tags/AskFedi" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AskFedi</span></a></p>
nan0<p>Is there an "easy" way to sync IPs that get banned via <a href="https://chaos.social/tags/fail2ban" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>fail2ban</span></a> between servers?</p><p>:BoostOK:</p>
Sean Riley<p>OK so I finally go fail2ban to play nice with pf while keeping the apple Application firewall happy. </p><p>I'm going to step away now...</p><p>Will need to document later.</p><p><a href="https://opensocial.media/tags/BSD" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BSD</span></a> <a href="https://opensocial.media/tags/Apple" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Apple</span></a> <a href="https://opensocial.media/tags/fail2ban" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>fail2ban</span></a> <a href="https://opensocial.media/tags/pf" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>pf</span></a></p>
Geeky Malcölm 🇨🇦<p><span class="h-card" translate="no"><a href="https://infosec.exchange/@nono2357" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>nono2357</span></a></span> I'm running an <a href="https://ioc.exchange/tags/obfs4" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>obfs4</span></a> proxy on a VPS & followed this. It's amazing how many attempted logins get blocked with <a href="https://ioc.exchange/tags/fail2ban" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>fail2ban</span></a>. SSH Key Authentication is also amazing.</p>
Jordan<p>The Wordpress login brute-force bots are in full swing lately..</p><p><a href="https://defcon.social/tags/wordpress" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>wordpress</span></a> <a href="https://defcon.social/tags/scriptkiddie" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>scriptkiddie</span></a> <a href="https://defcon.social/tags/bruteforce" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>bruteforce</span></a> <a href="https://defcon.social/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://defcon.social/tags/sysadmin" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>sysadmin</span></a> <a href="https://defcon.social/tags/fail2ban" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>fail2ban</span></a></p>
ppom<p><a href="https://mamot.fr/tags/reaction" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>reaction</span></a> 's v2.1.0 is published!<br>News:<br>- big performance improvements on regex matching 🚀<br>- new 'trigger' command to manually ban IPs 👋 (or whatever you're doing with reaction!)<br>- 'oneshot' actions option, useful for alerting 🚨</p><p><a href="https://framagit.org/ppom/reaction/-/releases/v2.1.0" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">framagit.org/ppom/reaction/-/r</span><span class="invisible">eleases/v2.1.0</span></a></p><p>reaction is a software which aims to replace <a href="https://mamot.fr/tags/fail2ban" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>fail2ban</span></a> on UNIX servers, while being faster, more flexible, an nicer to configure.<br><a href="https://mamot.fr/tags/rust" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rust</span></a> <a href="https://mamot.fr/tags/monitoring" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>monitoring</span></a> <a href="https://mamot.fr/tags/alerting" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>alerting</span></a> <a href="https://mamot.fr/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a></p>
Dave Robinson<p>To recap on a post from about 2 weeks ago (<br><a href="https://europhiles.uk/@dave/statuses/01JWPDZ6960F1GW4VBRK8EXAE0" rel="nofollow noopener" target="_blank">https://europhiles.uk/@dave/statuses/01JWPDZ6960F1GW4VBRK8EXAE0</a>), due to an error on my part I have been pestered for over a year by Matrix chat servers trying to contact my own long-dead chat server, despite my proxy returning 404 errors. I have now spent a week returning 410 errors (meaning I have gone, am never coming back, and please delete me from your records). This appears to have had no effect, despite the Matrix server to server API spec saying that servers should respect failures and use exponential back-off.<br><br>Anyway, I have now started returning 410s and banning the IP address for 24 hours (doubling each time they further transgress). After less than a day, 250 IP addresses have been blocked. I'm quite loathe to do this, because it will have the effect of blocking any Fediverse servers that happen to use the same IP address. Hopefully that won't end up being a problem.<br><br>Anyway, it just shows how much pointless noise and crap is whizzing around the Internet (using up bandwidth, energy and money) just because people either can't be bothered, or lack the skills, to write things properly and make them behave sensibly.<br><br><a href="https://europhiles.uk/tags/matrix" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Matrix</span></a> <a href="https://europhiles.uk/tags/fail2ban" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Fail2Ban</span></a></p>
aaron ~# :blinkingcursor:<p>This is just beautiful. The project uses <a href="https://infosec.exchange/tags/MariaDB" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MariaDB</span></a> to store all the collected data. It makes heavy use of <a href="https://infosec.exchange/tags/API" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>API</span></a> endpoints which will be a top priority not only for the internal workings. My focus mostly lies in making this as flexible as possible so people can configure it exactly as they need it. Configuration will be in <a href="https://infosec.exchange/tags/yaml" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>yaml</span></a>.</p><p><strong>What i got so far is:</strong></p><ul><li>packet capturing (from client, sent to the control server)</li><li>a webhook (which will be a drop-in replacement for <a href="https://infosec.exchange/tags/Discord" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Discord</span></a>'s since a lot of services support sending logs to discord webhooks)</li></ul><p><strong>What's planned:</strong></p><ul><li>Log file monitoring (like <a href="https://infosec.exchange/tags/Fail2Ban" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Fail2Ban</span></a>, but more advanced and easier to configure)</li><li>A fully featured dashboard which visualizes the data and gives you control and a transparent overview of your network activity.</li><li>IP banning (multiple ways to make it flexible)</li><li>Maybe even some advanced responses (like reporting all ports as open for nmap scans)</li></ul><p><strong>I would be very interested to know what you think. Ideas, criticism and questions are very welcome. As soon as the base is working, i will push it to <a href="https://infosec.exchange/tags/Github" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Github</span></a>.</strong></p><p><a href="https://infosec.exchange/tags/developement" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>developement</span></a> <a href="https://infosec.exchange/tags/coding" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>coding</span></a> <a href="https://infosec.exchange/tags/sideproject" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>sideproject</span></a> <a href="https://infosec.exchange/tags/homelab" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>homelab</span></a> <a href="https://infosec.exchange/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a> <a href="https://infosec.exchange/tags/networking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>networking</span></a> <a href="https://infosec.exchange/tags/monitoring" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>monitoring</span></a> <a href="https://infosec.exchange/tags/xdr" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>xdr</span></a></p>
Charles Perry<p>Anyone out there have experience writing custom filters for fail2ban? I trying to write my first one for Apache on AlmaLinux 8 and running into problems. I’m not sure if the problem is the regex or the fact that I’m trying to scan multiple log files using wildcards in the logpath. I would be happy to pay for a few hours of consulting time. <a href="https://mstdn.social/tags/SysAdmin" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SysAdmin</span></a> <a href="https://mstdn.social/tags/fail2ban" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>fail2ban</span></a></p>
TrendingLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload