Fail2Ban is a free software package that watches a server's log files, looking for multiple failed login attempts and banning remote hosts that appear to be conducting brute-force password scans or searching for vulnerabilities. It also sends e-mail reports every time it bans a new host. But sometimes those reports go astray, and from them we can get an idea of who's attacking who, when, from where, and on what service.
From: MAILER-DAEMON@example.com To: email@example.com Subject: failure notice Hi. This is the qmail-send program at example.com. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. <firstname.lastname@example.org>: Remote host said: 550 Requested action not taken: mailbox unavailable --- Below this line is a copy of the message. Return-Path: <email@example.com> Subject: [Fail2Ban] SSH: banned 22.214.171.124 From: Fail2Ban <firstname.lastname@example.org> To: email@example.com Hi, The IP 126.96.36.199 has just been banned by Fail2Ban after 6 attempts against SSH. Regards, Fail2Ban
Fail2Ban is a pretty nice tool, and even when it doesn't help a lot with security (e.g., if you've turned off SSH password authentication), it still provides a drastic reduction in the logspam caused by intrusion attempts. The only problem I've seen with it is that, until July 2011, Fail2Ban's default configuration file specified the
firstname.lastname@example.org and the
email@example.com, which are both hosted by freemail provider Mail.com. I guess the person who set this up assumed that mail.com was invalid.
firstname.lastname@example.org is either reserved or filled to the limit, so when Fail2Ban detects an attack on a misconfigured server, its report gets bounced back to the sender,
email@example.com. I registered that address back in 2010 so that the reports wouldn't fall into the wrong hands, and I left it to collect bounced reports. In July 2014, I parsed the reports and made the charts you see below. Unfortunately, Mail.com's "unlimited storage" is actually limited to 500,000 messages, which get used up in about a month, and I didn't download the reports very often, so there are some big gaps in the data.
firstname.lastname@example.org. I just registered the account.