[tor-relays] significant rise in fail2ban alerts for ssh abuse

[teor]

> On 15 Aug 2017, at 02:57, Ryru <ryru at addere.ch> wrote:
> 
> Hi Drik, hi List
> 
> On 10.08.2017 21:34, Dirk wrote:
>> As far as I know the functionality of Fail2Ban is old. If there would be
>> a Linux distribution which enables this I would like to talk to the
>> maintainer and let him know that he at least
>> tries to read the correct abuse entry from ripe instead of bothering our
>> provider as well.
> 
> I took a look into the Fail2ban source code[0] today. Although I now
> have a better understanding of how Fail2ban works I can not really
> provide the problem source.
> 
>  * The feature that causes abuse mails is called 'complain'[1].
> 
> ...
> 
> My findings let me assume that Fail2ban itself is not necessary the
> source of our problem (increasing 22/ssh abuse mails).
> 
> Possible other problem causer could be:
>  * Fail2ban OS specific configuration files
>  * a (new?) popular Fail2ban how-to-guide which promotes the 'complain'
> configuration
>  * Maybe neither of both changed something and we just had bad luck in
> the past weeks?
> 
> Maybe someone else has real world experiences with Fail2ban and can help
> us out here?

Our experience is that our email provider took a few months to identify
Fail2ban emails as spam, and automatically delete them. We haven't seen
any since then. It's no great loss.

Perhaps there have been changes to Fail2ban that have evaded some
automated filters, or your email provider changed their spam filter
config.

T
--
Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
ricochet:ekmygaiu4rzgsk6n
------------------------------------------------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20170821/5c44a8b4/attachment.sig>