Re: extending fail2ban

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, May 22, 2008 at 10:13 AM, Brian Jedsen <jedsen@xxxxxxxxx> wrote:
> On Thu, 22 May 2008 09:42:11 -0700
> "Don Russell" <fedora@xxxxxxxxxxxxxxxxxxxxx> wrote:
>
>> I installed fail2 ban and it seems to do a nice job of reporting
>> people knocking at my door and shutting them down temporarily.
>>
>> Is there any doc on how I could add other "intruder detection".... :-)
>> man fail2ban and info fail2ban come up dry. :-(
>> The fedora project page doesn't have anything on it either:
>>  https://admin.fedoraproject.org/pkgdb/packages/name/fail2ban
>>
>> i.e. I have an application I run via xinetd.
>>
>> If the client tries to connect with the incorrect protocol, I just
>> respond with a terse "wrong protocol" message and exit.
>>
>> My xinet logs show the same IP address connecting with the wrong
>> protocol over and over... They're obviously "up to no good" :-).
>>
>> How can I "teach" fail2ban to block those people too?
>>
>> It's not a password violation.. there's no password on it... it's
>> meant for public consumption, but only if you are using the correct
>> protocol.
>>
>> I could do my own "blocking", but I'd like to use the tools that are
>> already there.
>>
>> Thanks,
>>
> You'd have to set up a new jail along with a new filter and an action.
> You could probably reuse the action from any of the other fail2ban
> rules. The hard part would finding the right regular expression that
> matches these entries when fail2ban scans your logs.

I was thinking more along the lines of creating log entries that
fail2ban already recognizes...

But, I don't think this will really have the desired effect anyway....
right now fail2ban detects n number of unsuccessful login attempts and
shuts them out. If I depend on log entries and fail2ban to scan them,
that's not going to happen in real time.

I was originally thinking if there were a way to tell fail2ban "here's
an "event". If you get too many within x minutes, then lock them out
for y minutes...

i.e.
So each time I detect that IP x.y.z.t connects to me with the wrong
protocol, I send fail2ban a "message": "fail2ban --DoorKnocker
x.y.z.t"

and when fail2ban gets enough "Doorknocker" messages for the same IP,
it blocks the IP the same way it does now for password attempts.

hmmm, I should take this up with the fail2ban people.... that should
be pretty easy to implement.

I wonder if others would think it useful...

Thanks for the feedback.

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux