FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 08-09-2010, 12:38 AM
"Joseph L. Casale"
 
Default fail2ban behavior

I created a filter and verified it with fail2ban-regex against
actual lines in my log and it works. During restarts of fail2ban,
only some previous ip's get banned immediately whereas some need a
reoccurrence despite the jail's config specification of maxretry and
findtime suggesting the entries mandate blocking.

I'd assume the behavior after a restart is noe way if it weren't for
the seemingly random immediate notification of blocks being different?

Anyone with experience using fail2ban know anything about this?

Thanks,
jlc
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-09-2010, 01:31 PM
JohnS
 
Default fail2ban behavior

On Mon, 2010-08-09 at 00:38 +0000, Joseph L. Casale wrote:
> I created a filter and verified it with fail2ban-regex against
> actual lines in my log and it works. During restarts of fail2ban,
> only some previous ip's get banned immediately whereas some need a
> reoccurrence despite the jail's config specification of maxretry and
> findtime suggesting the entries mandate blocking.
>
> I'd assume the behavior after a restart is noe way if it weren't for
> the seemingly random immediate notification of blocks being different?
>
> Anyone with experience using fail2ban know anything about this?
>
> Thanks,
> jlc
---
Stop it at the Edge Router not the machine. Adding layers of security
become problems like you are getting. Ban the ip block with iptables.

John

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-09-2010, 01:58 PM
"Joseph L. Casale"
 
Default fail2ban behavior

>Stop it at the Edge Router not the machine.

Fair enough, but now I have to manually scour the logs and
maintain a dynamic block list?

>Adding layers of security become problems like you are getting.

I agree, and if my edge router had the functionality to inspect
http requests I would

>Ban the ip block with iptables.

? That's what fail2ban is setup to do, as the email suggested its
not restoring bans correctly on restarts.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-09-2010, 03:01 PM
JohnS
 
Default fail2ban behavior

On Mon, 2010-08-09 at 13:58 +0000, Joseph L. Casale wrote:

>
> ? That's what fail2ban is setup to do, as the email suggested its
> not restoring bans correctly on restarts.
---

http://www.fail2ban.org/wiki/index.php/Fail2ban:Community_Portal
"Question about persistant IP bans over restart"

I think you need to adapt the example to CentOS/RH

John

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-09-2010, 03:29 PM
"Joseph L. Casale"
 
Default fail2ban behavior

>http://www.fail2ban.org/wiki/index.php/Fail2ban:Community_Portal
>"Question about persistant IP bans over restart"
>
>I think you need to adapt the example to CentOS/RH

Yeah, I saw that one and implemented it. I think I have to rewrite
the action scripts my jails use. The odd part is the initial parsing
behavior on a real restart such as a reboot, it parses the logs and
only catches some of the total potential hosts that can trigger the
ban. Prolly just a bug...

Really, unless your ban time is shorter than your logrotate, or you
configure it to read some of the rotated logs there is a problem with
maintaining the banlist on restarts if you don't do as the orig script
does and del the iptables rules when exiting. If the process sh!ts the
bed you still have an issue which wouldn't get cleared up until the
next restart, but with the parsing issue you're left with an incomplete
ruleset:/

Anyone know of a more elaborate app that does what fail2ban does but
maintains a better state inbetween restarts?

Thanks!
jlc
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-09-2010, 03:48 PM
JohnS
 
Default fail2ban behavior

On Mon, 2010-08-09 at 15:29 +0000, Joseph L. Casale wrote:
> >http://www.fail2ban.org/wiki/index.php/Fail2ban:Community_Portal
> >"Question about persistant IP bans over restart"
> >
> >I think you need to adapt the example to CentOS/RH
>
> Yeah, I saw that one and implemented it. I think I have to rewrite
> the action scripts my jails use. The odd part is the initial parsing
> behavior on a real restart such as a reboot, it parses the logs and
> only catches some of the total potential hosts that can trigger the
> ban. Prolly just a bug...
>
> Really, unless your ban time is shorter than your logrotate, or you
> configure it to read some of the rotated logs there is a problem with
> maintaining the banlist on restarts if you don't do as the orig script
> does and del the iptables rules when exiting. If the process sh!ts the
> bed you still have an issue which wouldn't get cleared up until the
> next restart, but with the parsing issue you're left with an incomplete
> ruleset:/
>
> Anyone know of a more elaborate app that does what fail2ban does but
> maintains a better state inbetween restarts?
---
Yea you seem to be right as that is what I got also and threw it in the
trash can.

I'm not telling you what to do that is your business but I say utilize
what is in the OS itself to do it. You can do a shell script to go
through the iptables logs and get the bad ips have it add to iptables it
self then iptables-save. A lot less in size as compared to f2b also. Or
block all networks like china,japan,india and so on. Can get these from
ICANN.

Your better off at doing this at the core router level as it can be
done. As in blocking whole networks. Just thinking a buffer overflow
could trigger a clean log of f2b ips. I think it's in the layering of
complexity that will get you in the end. A lot of log writing will
eventually kill the machine. Iptables can it self log at a rate of 100
- a burst of 150 TPS on a 10K Mirrored Array bringing it to it's knees.
That is logging MulticastDNS

John

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-09-2010, 03:53 PM
JohnS
 
Default fail2ban behavior

On Mon, 2010-08-09 at 13:58 +0000, Joseph L. Casale wrote:
> I agree, and if my edge router had the functionality to inspect
> http requests I would
---

Ahh, so is it really http requests you want to stop?

John

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-09-2010, 04:05 PM
"Joseph L. Casale"
 
Default fail2ban behavior

>Or block all networks like china,japan,india and so on. Can get these from
>ICANN.

Actually. that might just be enough, I know this site won't need access
from other that NA addresses which is an easy rule to build permanently.

Thanks,
jlc
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-09-2010, 04:12 PM
JohnS
 
Default fail2ban behavior

On Mon, 2010-08-09 at 16:05 +0000, Joseph L. Casale wrote:
> >Or block all networks like china,japan,india and so on. Can get these from
> >ICANN.
>
> Actually. that might just be enough, I know this site won't need access
> from other that NA addresses which is an easy rule to build permanently.
---
Plus when that fails you need a backup. So this is for Apache Yes/no?
Iptables just went into cardiac arrest! Is currently getting
nitroglycerin. Apache is still getting hammered?

John

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-09-2010, 04:38 PM
JohnS
 
Default fail2ban behavior

On Mon, 2010-08-09 at 12:12 -0400, JohnS wrote:
> On Mon, 2010-08-09 at 16:05 +0000, Joseph L. Casale wrote:
> > >Or block all networks like china,japan,india and so on. Can get these from
> > >ICANN.
> >
> > Actually. that might just be enough, I know this site won't need access
> > from other that NA addresses which is an easy rule to build permanently.
> ---
> Plus when that fails you need a backup. So this is for Apache Yes/no?
> Iptables just went into cardiac arrest! Is currently getting
> nitroglycerin. Apache is still getting hammered?
>
> John
---
I meant to say IANA in my other reply but said ICANN sorry for that.
You don't need to report no one yet.
http://www.iana.org/numbers/

John

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 10:38 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org