On Thu, May 22, 2008 at 11:05 AM, Don Russell <fedora@xxxxxxxxxxxxxxxxxxxxx> wrote: > On Thu, May 22, 2008 at 10:13 AM, Brian Jedsen <jedsen@xxxxxxxxx> wrote: >> On Thu, 22 May 2008 09:42:11 -0700 >> "Don Russell" <fedora@xxxxxxxxxxxxxxxxxxxxx> wrote: >> >>> I installed fail2 ban and it seems to do a nice job of reporting >>> people knocking at my door and shutting them down temporarily. >>> >>> Is there any doc on how I could add other "intruder detection".... :-) >>> man fail2ban and info fail2ban come up dry. :-( >>> The fedora project page doesn't have anything on it either: >>> https://admin.fedoraproject.org/pkgdb/packages/name/fail2ban >>> >>> i.e. I have an application I run via xinetd. >>> >>> If the client tries to connect with the incorrect protocol, I just >>> respond with a terse "wrong protocol" message and exit. >>> >>> My xinet logs show the same IP address connecting with the wrong >>> protocol over and over... They're obviously "up to no good" :-). >>> >>> How can I "teach" fail2ban to block those people too? >>> >>> It's not a password violation.. there's no password on it... it's >>> meant for public consumption, but only if you are using the correct >>> protocol. >>> >>> I could do my own "blocking", but I'd like to use the tools that are >>> already there. >>> >>> Thanks, >>> >> You'd have to set up a new jail along with a new filter and an action. >> You could probably reuse the action from any of the other fail2ban >> rules. The hard part would finding the right regular expression that >> matches these entries when fail2ban scans your logs. > > I was thinking more along the lines of creating log entries that > fail2ban already recognizes... > > But, I don't think this will really have the desired effect anyway.... > right now fail2ban detects n number of unsuccessful login attempts and > shuts them out. If I depend on log entries and fail2ban to scan them, > that's not going to happen in real time. > > I was originally thinking if there were a way to tell fail2ban "here's > an "event". If you get too many within x minutes, then lock them out > for y minutes... > > i.e. > So each time I detect that IP x.y.z.t connects to me with the wrong > protocol, I send fail2ban a "message": "fail2ban --DoorKnocker > x.y.z.t" > > and when fail2ban gets enough "Doorknocker" messages for the same IP, > it blocks the IP the same way it does now for password attempts. > > hmmm, I should take this up with the fail2ban people.... that should > be pretty easy to implement. Ref: https://bugzilla.redhat.com/show_bug.cgi?id=448001 -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
