ADVERTISEMENT
Manila Bulletin devider Technews devider Fail2Ban vs low and slow attacks

Fail2Ban vs low and slow attacks

Published Jan 3, 2023 10:36 am

Fail2Ban is a tool that helps protect servers from brute-force attacks by scanning log files and banning IP addresses that show malicious activities. This usually means repeated failed login attempts. Fail2Ban is a useful tool for blocking malicious traffic and increasing the security of your server.

The default configuration of Fail2Ban is effective at blocking “loud and proud” brute-force attacks. These are attacks that use high volumes of traffic and are easy to detect.

However, “low and slow” attacks, which use smaller volumes of traffic and are designed to evade detection, may be more difficult to block with the default configuration. These are the most recent email based attacks we saw coming from what I suspect are state-sponsored hacking groups.

To counter slow and low brute-force attacks, you can configure Fail2Ban to have a “short temper” by setting the “findtime” parameter to a lower value.

This will cause Fail2Ban to detect and ban IP addresses more quickly, making it more difficult for attackers to successfully brute-force their way into your server.

You can also configure Fail2Ban to have a “longer memory” by setting the to a higher value. This will cause Fail2Ban to remember banned IP addresses for a longer period of time, making it more difficult for attackers to simply switch to a new IP address and continue the attack. These two ideas credited to redditor u/TyphoidJaneDoeMary.

You then configure Fail2Ban to “Forever ban” IP addresses by setting the “bantime” parameter to a negative 1. Thanks to Jayr Baldevia for this idea. This will cause Fail2Ban to permanently ban any IP addresses that it detects as being malicious, which can be an effective way to prevent repeated attacks from the same source.

Here is what it looks like:

It’s important to note that while these configurations can be effective at blocking brute-force attacks, they may also result in legitimate users being accidentally banned if they make too many failed login attempts. It’s a good idea to carefully monitor the logs and make sure that you’re not accidentally blocking legitimate traffic. In such a case, you ask your user for the IP address and just ‘unban’ it.

Finally, you can try to add two factor authentication. This is a bit hard, but not impossible to do. Clint Canada suggests:

“you let postfix use dovecat as the SASL authentication server in /etc/postfix/main.cf and set up communication to the Unix Socket which ties up to dovecot.

Dovecot can be configured to use pam (this is for use in google authenticator pam modules) or OAuth2 for sign on to an identity server (you can use auth0 which has a free plan of up to 7,000 active users and unlimited logins, but MFA has a payment here).

If you set up keycloak (an open source Java based identity server), you can use OAuth2, then MFA as well.”

Related Tags

Fail2Ban
ADVERTISEMENT
.most-popular .layout-ratio{ padding-bottom: 79.13%; } @media (min-width: 768px) and (max-width: 1024px) { .widget-title { font-size: 15px !important; } }

{{ articles_filter_1561_widget.title }}

{{ item.title }}
.most-popular .layout-ratio{ padding-bottom: 79.13%; } @media (min-width: 768px) and (max-width: 1024px) { .widget-title { font-size: 15px !important; } }

{{ articles_filter_1562_widget.title }}

{{ item.title }}
.most-popular .layout-ratio{ padding-bottom: 79.13%; } @media (min-width: 768px) and (max-width: 1024px) { .widget-title { font-size: 15px !important; } }

{{ articles_filter_1563_widget.title }}

{{ item.title }}

{{ articles_filter_1564_widget.title }}

{{ item.title }}
.mb-article-details { position: relative; } .mb-article-details .article-body-preview, .mb-article-details .article-body-summary{ font-size: 17px; line-height: 30px; font-family: "Libre Caslon Text", serif; color: #000; } .mb-article-details .article-body-preview iframe , .mb-article-details .article-body-summary iframe{ width: 100%; margin: auto; } .read-more-background { background: linear-gradient(180deg, color(display-p3 1.000 1.000 1.000 / 0) 13.75%, color(display-p3 1.000 1.000 1.000 / 0.8) 30.79%, color(display-p3 1.000 1.000 1.000) 72.5%); position: absolute; height: 200px; width: 100%; bottom: 0; display: flex; justify-content: center; align-items: center; padding: 0; } .read-more-background a{ color: #000; } .read-more-btn { padding: 17px 45px; font-family: Inter; font-weight: 700; font-size: 18px; line-height: 16px; text-align: center; vertical-align: middle; border: 1px solid black; background-color: white; } .hidden { display: none; }
function initializeAllSwipers() { // Get all hidden inputs with cms_article_id document.querySelectorAll('[id^="cms_article_id_"]').forEach(function (input) { const cmsArticleId = input.value; const articleSelector = '#article-' + cmsArticleId + ' .body_images'; const swiperElement = document.querySelector(articleSelector); if (swiperElement && !swiperElement.classList.contains('swiper-initialized')) { new Swiper(articleSelector, { loop: true, pagination: false, navigation: { nextEl: '#article-' + cmsArticleId + ' .swiper-button-next', prevEl: '#article-' + cmsArticleId + ' .swiper-button-prev', }, }); } }); } setTimeout(initializeAllSwipers, 3000); const intersectionObserver = new IntersectionObserver( (entries) => { entries.forEach((entry) => { if (entry.isIntersecting) { const newUrl = entry.target.getAttribute("data-url"); if (newUrl) { history.pushState(null, null, newUrl); let article = entry.target; // Extract metadata const author = article.querySelector('.author-section').textContent.replace('By', '').trim(); const section = article.querySelector('.section-info ').textContent.replace(' ', ' '); const title = article.querySelector('.article-title h1').textContent; // Parse URL for Chartbeat path format const parsedUrl = new URL(newUrl, window.location.origin); const cleanUrl = parsedUrl.host + parsedUrl.pathname; // Update Chartbeat configuration if (typeof window._sf_async_config !== 'undefined') { window._sf_async_config.path = cleanUrl; window._sf_async_config.sections = section; window._sf_async_config.authors = author; } // Track virtual page view with Chartbeat if (typeof pSUPERFLY !== 'undefined' && typeof pSUPERFLY.virtualPage === 'function') { try { pSUPERFLY.virtualPage({ path: cleanUrl, title: title, sections: section, authors: author }); } catch (error) { console.error('ping error', error); } } // Optional: Update document title if (title && title !== document.title) { document.title = title; } } } }); }, { threshold: 0.1 } ); function showArticleBody(button) { const article = button.closest("article"); const summary = article.querySelector(".article-body-summary"); const body = article.querySelector(".article-body-preview"); const readMoreSection = article.querySelector(".read-more-background"); // Hide summary and read-more section summary.style.display = "none"; readMoreSection.style.display = "none"; // Show the full article body body.classList.remove("hidden"); } document.addEventListener("DOMContentLoaded", () => { let loadCount = 0; // Track how many times articles are loaded const offset = [1, 2, 3, 4, 5, 6, 7, 8, 9, 10]; // Offset values const currentUrl = window.location.pathname.substring(1); let isLoading = false; // Prevent multiple calls if (!currentUrl) { console.log("Current URL is invalid."); return; } const sentinel = document.getElementById("load-more-sentinel"); if (!sentinel) { console.log("Sentinel element not found."); return; } function isSentinelVisible() { const rect = sentinel.getBoundingClientRect(); return ( rect.top < window.innerHeight && rect.bottom >= 0 ); } function onScroll() { if (isLoading) return; if (isSentinelVisible()) { if (loadCount >= offset.length) { console.log("Maximum load attempts reached."); window.removeEventListener("scroll", onScroll); return; } isLoading = true; const currentOffset = offset[loadCount]; window.loadMoreItems().then(() => { let article = document.querySelector('#widget_1690 > div:nth-last-of-type(2) article'); intersectionObserver.observe(article) loadCount++; }).catch(error => { console.error("Error loading more items:", error); }).finally(() => { isLoading = false; }); } } window.addEventListener("scroll", onScroll); });
Join Our Newsletters

Sign up by email to receive news.

© 2025 Manila Bulletin The Nation's Leading Newspaper. All Rights Reserved.