[enhancement]: Let Fail2Ban ban port scanners

nomadturk commented 2 days ago

Which feature or improvement would you like to request?

2024-09-25T05:51:20Z DEBUG HTTP error occurred (http.error) listenerId = "https", localPort = 443, remoteIp = 15.204.47.3, remotePort = 37588, reason = "invalid HTTP method parsed"
2024-09-25T05:51:24Z DEBUG POP3 error occurred (pop3.error) listenerId = "pop3s", localPort = 995, remoteIp = 15.204.47.3, remotePort = 36574, details = Invalid command
2024-09-25T05:51:25Z DEBUG IMAP error occurred (imap.error) listenerId = "sieve", localPort = 4190, remoteIp = 15.204.47.3, remotePort = 51068, details = "Unrecognized command 'GET'.", type = BAD, code = PARSE
2024-09-25T05:51:25Z DEBUG HTTP error occurred (http.error) listenerId = "https", localPort = 443, remoteIp = 15.204.47.3, remotePort = 33612, reason = "invalid HTTP version parsed"
2024-09-25T05:51:25Z DEBUG HTTP error occurred (http.error) listenerId = "https", localPort = 443, remoteIp = 15.204.47.3, remotePort = 33628, reason = "invalid HTTP method parsed"
2024-09-25T05:51:26Z DEBUG HTTP error occurred (http.error) listenerId = "https", localPort = 443, remoteIp = 15.204.47.3, remotePort = 33642, reason = "invalid HTTP method parsed"
2024-09-25T05:51:26Z DEBUG HTTP error occurred (http.error) listenerId = "https", localPort = 443, remoteIp = 15.204.47.3, remotePort = 33646, reason = "invalid HTTP method parsed"
2024-09-25T05:51:26Z DEBUG HTTP error occurred (http.error) listenerId = "https", localPort = 443, remoteIp = 15.204.47.3, remotePort = 33658, reason = "invalid HTTP method parsed"
2024-09-25T05:51:26Z DEBUG HTTP error occurred (http.error) listenerId = "https", localPort = 443, remoteIp = 15.204.47.3, remotePort = 33672, reason = "invalid HTTP method parsed"
2024-09-25T05:51:27Z DEBUG HTTP error occurred (http.error) listenerId = "https", localPort = 443, remoteIp = 15.204.47.3, remotePort = 33680, reason = "invalid HTTP method parsed"
2024-09-25T05:51:27Z DEBUG HTTP error occurred (http.error) listenerId = "https", localPort = 443, remoteIp = 15.204.47.3, remotePort = 33696, reason = "invalid HTTP method parsed"
2024-09-25T05:51:27Z DEBUG HTTP error occurred (http.error) listenerId = "https", localPort = 443, remoteIp = 15.204.47.3, remotePort = 33704, reason = "invalid HTTP method parsed"
2024-09-25T05:51:28Z DEBUG HTTP error occurred (http.error) listenerId = "https", localPort = 443, remoteIp = 15.204.47.3, remotePort = 33710, reason = "invalid HTTP version parsed"
2024-09-25T05:51:28Z DEBUG HTTP error occurred (http.error) listenerId = "https", localPort = 443, remoteIp = 15.204.47.3, remotePort = 33714, reason = "invalid HTTP method parsed"
2024-09-25T05:51:30Z DEBUG IMAP error occurred (imap.error) listenerId = "sieve", localPort = 4190, remoteIp = 15.204.47.3, remotePort = 51078, details = "Unrecognized command 'OPTIONS'.", type = BAD, code = PARSE
2024-09-25T05:51:35Z DEBUG IMAP error occurred (imap.error) listenerId = "sieve", localPort = 4190, remoteIp = 15.204.47.3, remotePort = 37054, details = "Unrecognized command 'OPTIONS'.", type = BAD, code = PARSE
2024-09-25T05:51:51Z DEBUG IMAP error occurred (imap.error) listenerId = "sieve", localPort = 4190, remoteIp = 15.204.47.3, remotePort = 50072, details = "Unrecognized command 'HELP'.", type = BAD, code = PARSE
2024-09-25T05:52:24Z DEBUG IMAP error occurred (imap.error) listenerId = "sieve", localPort = 4190, remoteIp = 15.204.47.3, remotePort = 38632, details = "Unrecognized command 'OPTIONS'.", type = BAD, code = PARSE
2024-09-25T05:52:37Z DEBUG HTTP error occurred (http.error) listenerId = "https", localPort = 443, remoteIp = 15.204.47.3, remotePort = 46336, reason = "message head is too large"
2024-09-25T05:52:37Z DEBUG HTTP request URL (http.request-url) listenerId = "https", localPort = 443, remoteIp = 15.204.47.3, remotePort = 46424, url = "/docs/cplugError.html/"

Above, we are seeing an example log from Stalwart where a single IP is trying to find out vulnerabilities on different ports or protocols.

Be it a single node or a cluster install, since Stalwart can already parse these, it would have been nice for it to add the IP to the list of Blocked IPs.

Is your feature request related to a problem?

I'm having a problem with...

Code of Conduct

[X] I agree to follow this project's Code of Conduct

williamdes commented 2 days ago

Or CrowdSec put into the API a list of banned IPs

nomadturk commented 2 days ago

@williamdes

The way I currently do on other servers is by creating a bash script, getting those lists from various places. Merging and deduplicating them. Then adding them to ip route table as a blackhole.

I use various sources like Emerging Threats, Firehol lists, Blocklist.de, Tor Exist relays etc. And it works.

The problems are

updating these lists and removing the old ones takes a lot of cpu resources when you do it via bash as you have to query ip route blackhole 1 by 1 for each IP, either to remove or add new. Especially if you need to do this for ~30k lines
when you blackhole, you basically deny traffic for everything. And there are no logs.
there might be false positives in those lists.

I was thinking, maybe if Stalwart can allow importing a list of IPs from external sources, I can keep a github repo and keep it updated and let Stalwart get the list of IPs from there.

But I don't know if that's a capability Stalward should. LOL. We can at least remove the ones Stalwart is already observing with Fail2Ban regexes and block them across the cluster.

But getting them from external places. That would be a nice to have :)

stalwartlabs / mail-server