Fail2ban banned users with a changed password

Hi Giacomo
I suggest to implement a big warning for the user:
“Please do not forget to immediately use the new password on your communication devices, especially mail accounts. Otherwise, there is the risk of being excluded from server access by implemented security features if several login attempts are registered with the old password.”

Background:
Fail2ban banned users with a changed password and they could not imagine why… big drama…
Sincerely, MArko

Hi, Marko. Moved your post to a new thread. It would be interesting to know more details about the case (in fact, another user suggested this shall be thoroughly explained and examined).

Is it like this?

  1. A user password was changed (by the user, by the admin or by any other means).
  2. A mail client with the old password keeps trying to authenticate.
  3. Fail2ban detects failed authentication in logs and blocks user’s IP.
  4. User is not able to use server resources.

No doubt Fail2ban is doing its job as it should.

1 Like

I had myself the same issue, I changed a password to a stronger one for a user…this was the mistake…the user even aware has been banned by thunderbird after by nextcloud etc etc

A good time :slight_smile:

At this time we just had recidive, but now with the incremental bantime, if you set a short moment like one minute, the user can be out of jail fast

Yes, by the user himself by using the self service page

  1. A mail client with the old password keeps trying to authenticate.

exactly, after the first shock it was easy to identify from the logs because the Dovecot jail was snapped shut.

  1. Fail2ban detects failed authentication in logs and blocks user’s IP.
    Immediately
  1. User is not able to use server resources.

He was completely excluded.

No doubt Fail2ban is doing its job as it should.

Well, it works as aspected. :slight_smile:

Probably the user can be whitelisted for a time period. He might be shown a count down.

A good workflow could be:

  1. User tries to save a changed password.
  2. A warning pops up with the note “Please make sure that you have exchanged the old password for the new one within the next ## minutes on ALL end devices, especially in the mail accounts. Otherwise, there is a risk that the implemented security features will prevent the further use of server functions.”
  3. Dialog to cancel (postpone the change) or confirm.
  4. Information Mail to Admin, that user YXZ changed his password to be aware issues with this account.
    best regards, Marko

Question is: is there any way to warn Fail2ban that the user has recently change the password for create some “grace time”?

Is there any kind of chance that some MITM attack could sweep the data for refining a brute-force attack?

I think no, we just grep a log faillure, whatever the name of the user. It is exact that we ban the connection to all services. Another approach could be to lock only the network ports used by the service to the remote connection, but I think it is not possible with the shorewall-ipset banaction we use.

I would suggest to change the user’s password either with a VPN or when he uses the LAN of the company.

1 Like