Package: fail2ban
Version: 0.8.1-1
Severity: wishlist
Tags: patch
--- Please enter the report below this line. ---
fail2ban generate rules for iptables matching only the port, for ex:
-A INPUT -p tcp -m multiport --dports 22,115 -j fail2ban-ssh
This is bad, and can result in a nice DoS for NATed users if two users
share the same IP, and one fails 3 times to login, then all connections
(including already established) are banned.
Proposed solution: filter only SYN paquets, so that established
connexions are not affected, only new (patch attached for
iptables-multiport, same solution could be applied to other actions as
well).
Regards,
Pierre
--- System information. ---
Architecture: amd64
Kernel: Linux 2.6.21-2-amd64
Debian Release: lenny/sid
500 unstable ftp2.fr.debian.org
--- Package information. ---
Depends (Version) | Installed
=============================-+-===========
python-central (>= 0.5.8) | 0.5.14
python (>= 2.4) | 2.4.4-6
iptables | 1.3.8.0debian1-1
lsb-base (>= 2.0-7) | 3.1-24
--- iptables-multiport.conf 2007-05-19 13:04:58.000000000 +0200
+++ iptables-multiport-inl.conf 2007-08-20 18:01:49.000000000 +0200
@@ -13,13 +13,13 @@
#
actionstart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
- iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+ iptables -I INPUT -p <protocol> -m multiport --dports <port> --syn -m state --state NEW -j fail2ban-<name>
# Option: actionend
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
-actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> --syn -m state --state NEW -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
