Jumping in near/at the end of this conversation... On Sun, Nov 30, 2014 at 2:23 PM, Gavin Henry <[email protected]> wrote: > > On 30 Nov 2014 19:09, "Mike Hammett" <[email protected]> wrote: >> >> You can still withdraw the route advertisement. >> >> If you're attempting to gain access to my systems, you don't belong on my >> network. No one other than my management should ever attempt to gain access >> to my systems. The vast majority of the time it'll be script kiddies or >> malware.
There area myriad of reasons NOT to do this, but since you seem like you've thought through a few, I think you want to do something like: 0) setup quagga on your machine that does the logging, have it ibgp peer with your network gear (quagga - http://www.nongnu.org/quagga/) 1) setup an 'action script' to simply add the offending ip address(range/etc) and a tiemstamp for the event to a simple text file. (http://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Actions) 2) have a cronjob cycle through the list, adding/removing offending ips to a list of static routes in quagga, you can do this with expect or you could simply update the on-disk configuration file for quagga and hup the daemon (which I think won't bounce the bgp sessions.. but you'd be best testing) 3) redistribute the static routes into BGP with some community the ibgp speakers can match and reset next-hop with. I suggest the expect method so your config starts clean at each reboot, I think you'll also want to quality control some of the inputs to quagga's list, you might not want to blackhole yourself or other interesting things around the network. -chris ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
