https://bugs.contribs.org/show_bug.cgi?id=10422
Bug ID: 10422
Summary: NFR: portscan jail
Classification: Contribs
Product: SME Contribs
Version: 9.2
Hardware: ---
OS: ---
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: smeserver-fail2ban
Assignee: [email protected]
Reporter: [email protected]
QA Contact: [email protected]
Target Milestone: ---
Created attachment 5987
--> https://bugs.contribs.org/attachment.cgi?id=5987&action=edit
91Portscan
I'd like to have a portscan jail for fail2ban.
I've implemented this on my own server and it seems to be working -- but the
way I've done so means that almost every banned host is detected as a portscan
as soon as fail2ban blocks it.
That is, portscan looks for 'denylog' entries in /var/log/iptables/current -
which *does* find actual port scans, but which at present also finds any access
attempts from hosts that have been banned by fail2ban.
I feel like a complete solution would require creating a separate
'fail2ban-denied' chain in iptables, then updating
/etc/e-smith/templates/etc/rc.d/init.d/masq/90AdjustFail2Ban to use that
instead of 'denylog' so that access attempts blocked by fail2ban itself do not
generate false positives in 'portscan'.
Anyway, the files attached enable a portscan jail in fail2ban
- download 91Portscan to /etc/e-smith/templates-custom/etc/fail2ban/jail.conf/
- download portscan.conf to /etc/fail2ban/filter.d
- signal-event fail2ban-conf
--
You are receiving this mail because:
You are the QA Contact for the bug._______________________________________________
Mail for each SME Contribs bug report
To unsubscribe, e-mail [email protected]
Searchable archive at https://lists.contribs.org/mailman/public/contribteam/
