mj <lists@merit.unu.edu> writes:

...

...

However, it seems almost all IPs are different, and I don't think I can keep the above settings permanently.

Why not? Limited by firewall rules overload? You could probably use a persistent DB, can't you?

I meant: keep the "block after the first failed attempt" setting. People need the chance to change their password, so I have increased it to two.

A timeout feature is handy here; even though you allow attackers several kicks at the can, it will allow your users to eventually gain control to their accounts again after a suitable penalty period.

...

You can also use a third party RBL that specialized in brute forcers like blocklist.de. You can also feed back fail2ban data and crowdsource BFD data to them.

Yes, I will look into that now. ...

Anyone aware of other blocklists that are worth bocking? Because the list.blocklist.de/lists/all.txt blocks some, but not anywhere near all.

There are other RBLs that overlap with this (like CBL), but they include entries will produce false positives. There was OpenBL but that is defunct.

The different lists at blocklist.de have varying efficacy: the ssh and smtp BFD detection are fairly good (they have a 90+% hit rate at my site), but the IMAP/POP BFD detection not as good (maybe 20%). However, if people start feeding IMAP/POP fail2ban data back to blocklist.de, that will get better.

I now know how to block large lists of ips, so if anyone has additional lists to block?

Yeah, all of ChinaNet. May produce false positives.

Joseph Tam <jtam.home@gmail.com>