Pedro:

I use Fail2Ban as well, and created my own Jail to help with this.

First, you will need to created jail. In the Fail2Ban directory "filter.d" create a new text file called "jnos.conf"

In the file called "jnos.conf" place the following text. _____________________________________ # Fail2Ban configuration file # # Author: Wm Lewis - KG6BAJ # # $Revision$ #

[Definition]

# Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>[\w-.^_]+) # Values: TEXT # # # # # failregex = ^.* <HOST>:.*bad login.*$

# Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # # ignoreregex = ___________________________________

Next, after creating this file, in the main Fail2Ban directory, add the following to your "jail.local" file. ______________________________ # # Custom Made Bans #

[jnos]

enabled = true port = anyport filter = jnos logpath = /jnos/logs/nos.log banaction = shorewall action = %(action_mwl)s maxretry = 2 ______________________________

*** Note #1 : Your BANACTION may be different, depending on what your box is using as a default ban method. Look at some of the other jail entries, ( like [postfix] ). You may need to change the BANACTION to match the others. If your other jails are working with Fail2Bans default settings, you could comment out the "banaction = shorewall" with a hash so it reads "#banaction = shorewall" Obviously I use shorewall for my firewall. Your system may be using something else.

Note #2 : Your path to your jnos log file may have to be tweaked to something like "/jnos/logs/filename.extension"

I am using a version of jnos where I can specify that jnos logs are called "nos.log" and rotated every 24 hours. Your jnos may be custom built to call the logs something else.

After you've install the "jnos.conf" jail file, and added the jnos jail settings, then restart Fail2Ban. Assuming you've made any appropriate directory tweaks needed to what I supplied, and assuming you've also adjusted your "jail.local" files email address to be your own, you should start getting emails telling you when Fail2Ban bans an IP address from the jnos logs for a bad login attempt.

Note, I put MAXRETRY = 2. This tells the jail to allow 2 bad login tries, and then ban on the third bad attempt.

Hope this helps. I currently show over 1300 banned IP addresses from jnos using this method.

73 Bill Lewis / KG6BAJ

At 11:39 AM 6/12/2016, you wrote:

(Please trim inclusions from previous messages) _______________________________________________ Hello,

Since last months my JNOS MBOX is being attacked:

15:24:59 94.53.236.39:55248 - MBOX (supervisor) bad login 15:25:07 113.162.86.77:35247 - MBOX (support) bad login 15:25:09 190.140.17.22:53348 - MBOX (root) bad login 15:25:14 92.27.102.224:38887 - MBOX (support) bad login 15:25:14 114.109.125.48:42069 - MBOX (administrator) bad login 15:25:35 190.140.17.22:54146 - MBOX (root) bad login 15:25:50 92.27.102.224:40191 - MBOX (support) bad login 15:26:33 182.184.71.162:41259 - MBOX (root) bad login 15:26:49 182.184.71.162:41259 - MBOX (sh) bad login 15:26:50 89.22.213.165:33979 - MBOX (root) bad login 15:27:52 89.22.213.165:34979 - MBOX (root) bad login

None of the users tried have granted permit.

Installed fail2ban but not avail. Attacking IPs change continuosly, routing to loopback no help Due heavy load jnos eventually hangs.

Is it there any way/suggestion to stop this ?

Appreciate any help. 73, lu7abf, Pedro Converso 44.153.0.1 or conversoft.com.ar pconver@gmail.com _________________________________________ 44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net

--- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus