On 10/2/2014 7:19 AM, Bill Shirley wrote:
On 9/27/2014 12:47 PM, Laurent wrote:
Le 25/09/2014 19:21, Martin Menzel a écrit :
In my special case I use fail2ban in the inverse sense. As long as I
get a special event in a given interval again and again the firewall
should be kept open and if no event is detect longer as the "ban"
interval the firewall is closed again.
Hi!
I really don't know if fail2ban is the proper tool to achieve that..
maybe you should see towards "port knocking", wich seems to be more
accurate to your needs..
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
I am using fail2ban to populate a ipset and using iptables to DROP traffic in
the ipset (from iptables -t filter):
DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set fail2ban-IpPort src,dst /* flagged by
fail2ban */
looks like you could just reverse this with:
ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 match-set fail2ban-IpPort src,dst /* flagged
by fail2ban */
DROP all -- * * 0.0.0.0/0 0.0.0.0/0
My ipset define (in Shorewall init) command is:
ipset -exist create fail2ban-IpPort hash:ip,port timeout 3600
with the timeout options the kernel automagically removes the entry when it
expires.
On entry update, the new timeout value is used.
My jail (my_ipset_ipport2 and 3 are just symlinks to my_ipset_ipport:
[postfix-sasl]
#enabled = false
enabled = true
filter = sasl
action = my_ipset_ipport[port=smtp, bantime=3600]
my_ipset_ipport2[port=smtps, bantime=3600]
my_ipset_ipport3[port=submission, bantime=3600]
logpath = /var/log/maillog
maxretry = 3
bantime = 3600
I use my own fail2ban action since I don't want the iptables entry removed.
cat /etc/fail2ban/action.d/my_ipset_ip.conf:
# from iptables-ipset-proto6.conf
[INCLUDES]
before = iptables-blocktype.conf
[Definition]
actioncheck =
actionstart =
actionstop =
actionban = ipset -exist add fail2ban-<name> <ip> timeout <bantime>
#actionunban = ipset -exist del fail2ban-<name> <ip>
actionunban =
[Init]
name = Ip
port = ssh
protocol = tcp
bantime = 3600
Modify the above if you want to ban an IP address instead of a IP/port
combination.
Here's a start:
ipset -exist create fail2ban-Ip hash:ip timeout 86400
Hope this helps,
Bill
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
Arrg, I mixed my two examples. The action should be:
cat /etc/fail2ban/action.d/my_ipset_ipport.conf:
# from iptables-ipset-proto6.conf
[INCLUDES]
before = iptables-blocktype.conf
[Definition]
actioncheck =
actionstart =
actionstop =
actionban = ipset -exist add fail2ban-<name> <ip>,<protocol>:<port> timeout
<bantime>
#actionunban = ipset -exist del fail2ban-<name> <ip>,<protocol>:<port>
actionunban =
[Init]
name = IpPort
port = http
protocol = tcp
bantime = 3600
Bill
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
