Developers Documentation

×

Warning

301 error for file:https://clearos.com/dokuwiki2/lib/exe/css.php?t=dokuwiki&tseed=82873f9c9a1f5784b951644363f20ef8

User Tools

Site Tools


Attack Detector

The Attack Detector app scans your system for authentication failures across various types of services installed on your system. If the failure threshold is reached, the app will block the attacking system. For example, it is a common tactic for spammers to guess a valid username/password combination for sending unsolicited outbound mail. The Attack Detector detects the failed login attempts and actively blocks the spammer.

Installation

If your system does not have this app available, you can install it via the Marketplace.

You can find this feature in the menu system at the following location:

Gateway|Intrusion Protection|Attack Detector

Rules

7_attack_detector.jpg The following apps provide rule sets for the Attack Detector app:

  • SSH Server
  • FTP Server
  • SMTP Server
  • IMAP Server

If you have one of the above apps installed, you will see corresponding Attack Detector rules in the configuration interface. You can enable and disable any of these rules using the web-based interface.

Permanently Whitelisting IP's

If this application is installed and you want to whitelist an IP addresses or subnets, create a file /etc/fail2ban/jail.local and in it put:

[DEFAULT]
ignoreip = 127.0.0.1/8 ip1_to_whitelist ip2_to_whitelist subnet1_to_whitelist subnet2_to_whitelist

Change “ip1_to_whitelist ip2_to_whitelist subnet1_to_whitelist subnet2_to_whitelist” to the IPs and/or subnets you want to whitelist in the “ignoreip” line (separated by spaces). Then restart the app.

Manually Unbanning IP's

To manually unban an IP first you need to determine the jail name where the IP is being blocked. Copy and paste the following line into a terminal:

for SET in `ipset list -n | grep f2b`; do ipset list $SET -o save | grep ^add | awk '{print $2 " "  $3}'; done

Then unblock the IP from the jail with:

fail2ban-client set {jail-name} unbanip {IP_to_unblock}

The jail name is the part of the string after “f2b-” so the jail name for “f2b-cyrus-imap” is “cyrus-imap”.

Log

The Log section provides a list of blocked IP addresses and the associated rules which were triggered.

Technical Note

The Attack Detector app is powered by fail2ban.

content/en_us/7_ug_attack_detector.txt · Last modified: 2018/12/11 13:31 by NickH

https://clearos.com/dokuwiki2/lib/exe/indexer.php?id=content%3Aen_us%3A7_ug_attack_detector&1710839913