Question regarding upload (fail2ban)

hi
im using fail2ban to ban every IP that tries to login to SSH
i have set the ban time to 50k hours = 57 years :wink:
it bans many attempts here is a litte of my log:

2022-09-30 10:37:00,359 fail2ban.filter         [13117]: INFO    [sshd] Found 64.62.197.47 - 2022-09-30 10:37:00
2022-09-30 10:37:00,483 fail2ban.actions        [13117]: NOTICE  [sshd] Ban 64.62.197.47
2022-09-30 10:40:00,070 fail2ban.filter         [13117]: INFO    [sshd] Found 188.161.179.66 - 2022-09-30 10:40:00
2022-09-30 10:40:00,727 fail2ban.actions        [13117]: NOTICE  [sshd] Ban 188.161.179.66
2022-09-30 10:40:01,881 fail2ban.filter         [13117]: INFO    [sshd] Found 188.161.179.66 - 2022-09-30 10:40:01
2022-09-30 10:46:41,854 fail2ban.filter         [13117]: INFO    [sshd] Found 64.227.33.2 - 2022-09-30 10:46:41
2022-09-30 10:46:42,439 fail2ban.actions        [13117]: NOTICE  [sshd] Ban 64.227.33.2
2022-09-30 10:46:43,460 fail2ban.filter         [13117]: INFO    [sshd] Found 64.227.33.2 - 2022-09-30 10:46:43
2022-09-30 10:55:29,472 fail2ban.filter         [13117]: INFO    [sshd] Found 138.197.195.123 - 2022-09-30 10:55:29
2022-09-30 10:55:29,713 fail2ban.actions        [13117]: NOTICE  [sshd] Ban 138.197.195.123
2022-09-30 11:08:42,897 fail2ban.filter         [13117]: INFO    [sshd] Found 190.18.110.53 - 2022-09-30 11:08:42
2022-09-30 11:08:42,905 fail2ban.actions        [13117]: NOTICE  [sshd] Ban 190.18.110.53
2022-09-30 11:14:47,838 fail2ban.filter         [13117]: INFO    [sshd] Found 222.113.84.214 - 2022-09-30 11:14:47
2022-09-30 11:14:47,973 fail2ban.actions        [13117]: NOTICE  [sshd] Ban 222.113.84.214
2022-09-30 11:14:49,817 fail2ban.filter         [13117]: INFO    [sshd] Found 222.113.84.214 - 2022-09-30 11:14:49
2022-09-30 11:35:09,220 fail2ban.filter         [13117]: INFO    [sshd] Found 139.59.26.6 - 2022-09-30 11:35:09
2022-09-30 11:35:09,495 fail2ban.actions        [13117]: NOTICE  [sshd] Ban 139.59.26.6
2022-09-30 11:40:34,593 fail2ban.filter         [13117]: INFO    [sshd] Found 175.203.201.207 - 2022-09-30 11:40:34
2022-09-30 11:40:35,116 fail2ban.actions        [13117]: NOTICE  [sshd] Ban 175.203.201.207
2022-09-30 11:40:37,301 fail2ban.filter         [13117]: INFO    [sshd] Found 175.203.201.207 - 2022-09-30 11:40:36
2022-09-30 11:49:52,220 fail2ban.filter         [13117]: INFO    [sshd] Found 82.66.19.49 - 2022-09-30 11:49:52
2022-09-30 11:49:52,420 fail2ban.actions        [13117]: NOTICE  [sshd] Ban 82.66.19.49
2022-09-30 11:54:07,063 fail2ban.filter         [13117]: INFO    [sshd] Found 103.130.109.6 - 2022-09-30 11:54:07
2022-09-30 11:54:07,355 fail2ban.actions        [13117]: NOTICE  [sshd] Ban 103.130.109.6
2022-09-30 11:54:09,034 fail2ban.filter         [13117]: INFO    [sshd] Found 103.130.109.6 - 2022-09-30 11:54:09
2022-09-30 12:00:58,948 fail2ban.filter         [13117]: INFO    [sshd] Found 61.177.173.24 - 2022-09-30 12:00:58
2022-09-30 12:00:59,085 fail2ban.actions        [13117]: NOTICE  [sshd] Ban 61.177.173.24
2022-09-30 12:32:19,608 fail2ban.filter         [13117]: INFO    [sshd] Found 71.230.17.167 - 2022-09-30 12:32:19
2022-09-30 12:32:19,613 fail2ban.actions        [13117]: NOTICE  [sshd] Ban 71.230.17.167
2022-09-30 12:32:21,219 fail2ban.filter         [13117]: INFO    [sshd] Found 71.230.17.167 - 2022-09-30 12:32:21
2022-09-30 12:34:58,144 fail2ban.filter         [13117]: INFO    [sshd] Found 137.184.228.225 - 2022-09-30 12:34:58
2022-09-30 12:34:58,423 fail2ban.actions        [13117]: NOTICE  [sshd] Ban 137.184.228.225
2022-09-30 12:35:00,854 fail2ban.filter         [13117]: INFO    [sshd] Found 137.184.228.225 - 2022-09-30 12:35:00
2022-09-30 12:39:05,942 fail2ban.filter         [13117]: INFO    [sshd] Found 201.14.44.230 - 2022-09-30 12:39:05
2022-09-30 12:39:05,946 fail2ban.actions        [13117]: NOTICE  [sshd] Ban 201.14.44.230
2022-09-30 12:39:07,547 fail2ban.filter         [13117]: INFO    [sshd] Found 201.14.44.230 - 2022-09-30 12:39:07
2022-09-30 12:40:25,619 fail2ban.filter         [13117]: INFO    [sshd] Found 114.35.177.194 - 2022-09-30 12:40:25
2022-09-30 12:40:26,055 fail2ban.actions        [13117]: NOTICE  [sshd] Ban 114.35.177.194
2022-09-30 12:40:27,630 fail2ban.filter         [13117]: INFO    [sshd] Found 114.35.177.194 - 2022-09-30 12:40:27

now my question, can that be bad for my upload? how does the upload work? are the satellites used like a proxy or its a direct connection to my server (which may fail if the IP is banned)
thanks in advance and nice weekend everyone

Simply move your ssh port to some other random port over 10000, and problem is partly solved.Just bee careful, first allow that port in ufw.

using port 1234 right now… i always change it from 22 to something like 2222 now sure why i used 1234 this time… u think its much better to use higher port over 10k ?

edit: was looking wrong, there was a other bookmark in my SSH client with about the same IP… forgot to change the port 22… did it now

With the way many consumer networks work, with dynamic IPs reallocated daily, yes, it may impact your uploads (and downloads) a lot if you ban all traffic from an IP that had the bad luck of being once assigned to a customer with an unsafe, hacked IoT device.

It’d be OK if you were only banning SSH access, not all traffic.

2 Likes

sounds like a good idea to only ban the ssh port… will check if i can change that

are u 100% sure its a direct connection to my server?

Yes, customers who use libuplink will connect directly to your node.

1 Like

thanks again, just noticed fail2ban by default only bans the SSH port, just tested it: got myself banned and scanning the server with zenmap.
ssh port is not shown as open but some others still are… looks like its working like intended :slight_smile:

Ultimately, I would say no. The chances that one is unwise enough to not update hardware and have it taken over by a botnet yet at the same time wise enough to know how to use uplink to upload data directly to the network are not that high. If more apps start to use libuplink to upload directly, maybe that will change. But at this point I don’t see it having a big impact. I use fail2ban (synology implementation) as well, never noticed an issue, but yeah, definitely don’t use the default port as mentioned. Seems you got that fixed though.

u have forwarded the SSH port of the synology box to the internet? makes not much sense imo but that would be the only reason to use fail2ban on it

It’s not, and no, i haven’t forwarded SSH. But I’d rather not go into more details.