Attack Detector
The Attack Detector app scans your system for authentication failures across various types of services installed on your system. If the failure threshold is reached, the app will block the attacking system. For example, it is a common tactic for spammers to guess a valid username/password combination for sending unsolicited outbound mail. The Attack Detector detects the failed login attempts and actively blocks the spammer.
Installation
If your system does not have this app available, you can install it via the Marketplace.
Menu
You can find this feature in the menu system at the following location:
<navigation>Gateway|Intrusion Protection|Attack Detector</navigation>
Settings
Whitelist LAN(s)
This allows you to whitelist all devices on your LAN. This can be useful, for example, if you find that when users change their passwords through the webconfig, they can end up being locked out of the mail app if they don't get to the mail app quickly enough to update the password there. There is a trade off between security and usability.
Rules
The following apps provide rule sets for the Attack Detector app:
- SSH Server
- FTP Server
- SMTP Server
- IMAP Server
If you have one of the above apps installed, you will see corresponding Attack Detector rules in the configuration interface. You can enable and disable any of these rules using the web-based interface.
Bans
This section shows all current bans. If you need to unblock/unban them, you can delete the bans here.
Permanently Whitelisting IP's
If this application is installed and you want to whitelist an IP addresses or subnets, edit the file /etc/fail2ban/jail.local and update the ignoreip line:
[DEFAULT] ignoreip = %(lan_subnets)s ip1_to_whitelist ip2_to_whitelist subnet1_to_whitelist subnet2_to_whitelist
Change “ip1_to_whitelist ip2_to_whitelist subnet1_to_whitelist subnet2_to_whitelist” to the IPs and/or subnets you want to whitelist in the “ignoreip” line (separated by spaces). Then restart the app.