On Thu, May 22, 2008 at 10:13 AM, Brian Jedsen <jedsen@xxxxxxxxx> wrote: > On Thu, 22 May 2008 09:42:11 -0700 > "Don Russell" <fedora@xxxxxxxxxxxxxxxxxxxxx> wrote: > >> I installed fail2 ban and it seems to do a nice job of reporting >> people knocking at my door and shutting them down temporarily. >> >> Is there any doc on how I could add other "intruder detection".... :-) >> man fail2ban and info fail2ban come up dry. :-( >> The fedora project page doesn't have anything on it either: >> https://admin.fedoraproject.org/pkgdb/packages/name/fail2ban >> >> i.e. I have an application I run via xinetd. >> >> If the client tries to connect with the incorrect protocol, I just >> respond with a terse "wrong protocol" message and exit. >> >> My xinet logs show the same IP address connecting with the wrong >> protocol over and over... They're obviously "up to no good" :-). >> >> How can I "teach" fail2ban to block those people too? >> >> It's not a password violation.. there's no password on it... it's >> meant for public consumption, but only if you are using the correct >> protocol. >> >> I could do my own "blocking", but I'd like to use the tools that are >> already there. >> >> Thanks, >> > You'd have to set up a new jail along with a new filter and an action. > You could probably reuse the action from any of the other fail2ban > rules. The hard part would finding the right regular expression that > matches these entries when fail2ban scans your logs. I was thinking more along the lines of creating log entries that fail2ban already recognizes... But, I don't think this will really have the desired effect anyway.... right now fail2ban detects n number of unsuccessful login attempts and shuts them out. If I depend on log entries and fail2ban to scan them, that's not going to happen in real time. I was originally thinking if there were a way to tell fail2ban "here's an "event". If you get too many within x minutes, then lock them out for y minutes... i.e. So each time I detect that IP x.y.z.t connects to me with the wrong protocol, I send fail2ban a "message": "fail2ban --DoorKnocker x.y.z.t" and when fail2ban gets enough "Doorknocker" messages for the same IP, it blocks the IP the same way it does now for password attempts. hmmm, I should take this up with the fail2ban people.... that should be pretty easy to implement. I wonder if others would think it useful... Thanks for the feedback. -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
