Added to the SVN with revision 7428... http://sourceforge.net/p/astlinux/code/7428/
Lonnie On Dec 25, 2015, at 10:12 PM, Lonnie Abelbeck <li...@lonnie.abelbeck.com> wrote: > David, > > Without proof, I'm thinking the IKE exchange type of 37 and 243 are just a > signature of a bot probing the IKE negotiation, something like SIPVicious and > it's 'friendly-scanner' User-Agent. > > The exchange types of 37 and 243 seem completely arbitrary to me. > > Given that, while it probably doesn't add much (if any) security to ban these > probes, it may provide some comfort (fewer logs) and is straight-forward to > do. > > So, I'll add a "racoon" filter option that will ban any IP that generates a > "ERROR: Invalid exchange type" regardless of the exchange type number. > > It is a relatively simple addition and is not enabled by default, so why not. > Seems of common interest while googling. > > Lonnie > > > On Dec 25, 2015, at 9:06 AM, David Kerr <da...@kerr.net> wrote: > >> Thanks Lonnie. Google found this... >> http://serverfault.com/questions/579648/custom-filter-for-fail2ban >> so someone else ran into the same issue and basically added a filter to >> /etc/fail2ban. Do we have an equivalent? >> >> I'm going to be away for next week plus... so won't be able to do anything >> for a while. In the meantime they have no respect for the holidays and have >> started trying from a different IP... >> >> Dec 25 05:44:47 pbx daemon.info >> racoon: ERROR: Invalid exchange type 243 from 93.81.145.36[500]. >> Dec 25 05:45:01 pbx >> daemon.info >> racoon: ERROR: Invalid exchange type 243 from 93.81.145.36[500]. >> Dec 25 05:45:16 pbx >> daemon.info >> racoon: ERROR: Invalid exchange type 243 from 93.81.145.36[500]. >> Dec 25 05:45:25 pbx >> daemon.info racoon: ERROR: Invalid exchange type 243 from 93.81.145.36[500]. >> >> Thanks >> David >> >> On Fri, Dec 25, 2015 at 9:37 AM, Lonnie Abelbeck <li...@lonnie.abelbeck.com> >> wrote: >> Merry Christmas David, >> >> +1 to Michael's answer. >> >> Here is the same topic for pfSense... >> >> Topic: Somebody hacking my IPsec VPN? >> https://forum.pfsense.org/index.php?topic=39044.0 >> >> Topic: Banning or throttling users making invalid connection attempts? >> https://forum.pfsense.org/index.php?topic=72640.0 >> (Unfortunately without any replies) >> >> So you are not alone, we could consider adding a "racoon" filter type to >> Adaptive ban. The first concern is to make sure it is useful in practice >> and not subject to false-banning for normal use. >> >> Possibly a look at the latest Fail2Ban to see if "racoon" has been added. >> And if not wonder why. >> >> Clearly if you use a certificate for your IPsec server then you should be >> good, but I understand the added logs are annoying. >> >> Lonnie >> >> >> On Dec 24, 2015, at 11:24 PM, David Kerr <da...@kerr.net> wrote: >> >>> Firstly happy christmas to all. >>> >>> Now my question, should adaptive ban pick up on the following? I'm getting >>> attacked again but neither of these IP's are getting added to the ban list. >>> As far as I can tell the adaptive ban plugin is active... >>> >>> ENABLED=1 >>> ADAPTIVE_BAN_FILE="/var/log/messages" >>> ADAPTIVE_BAN_TIME=90 >>> ADAPTIVE_BAN_COUNT=3 >>> ADAPTIVE_BAN_TYPES="sshd asterisk lighttpd" >>> >>> Dec 23 20:40:09 pbx daemon.info >>> racoon: ERROR: Invalid exchange type 37 from 129.192.165.10[4500]. >>> Dec 23 20:40:14 pbx >>> daemon.info >>> ... >> >>> Dec 24 20:57:35 pbx daemon.info >>> racoon: ERROR: Invalid exchange type 243 from 101.165.98.245[500]. >> >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> Astlinux-users mailing list >> Astlinux-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to >> pay...@krisk.org. >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> Astlinux-users mailing list >> Astlinux-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to >> pay...@krisk.org. > > > ------------------------------------------------------------------------------ > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. > > ------------------------------------------------------------------------------ _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
