Hi Denis, > So I'm in searching some like IP reputation.
That idea crossed my mind so many times. But then you would have to process all your "findings" with your reputation score logic and then let the fail2ban to know what to do: ban or whitelist. With every request you will be recalculating the score of all the IP that just sent a request. Under high load that might an issue. Also, once implementing that kind of reputation scoring system might not be so challenging as making sure it works as expected. I think it will not that that much time for the attacker to figure out how to make their way to good users list. Have you tried looking (or adding if you can) in your logs something more definitive and more specific to your application (eg. http headers: filter by http_status/app_version/session_id etc)? As in if you send a request without app_version header, or status is 444, or session_id is missing then ban on first appearance. Bregs, Roman On Thu, Aug 18, 2022 at 8:00 PM Denis <d...@oxip.me> wrote: > Hello. > > Yes. Port knocking logic is too close I need. > Now I do virtual-whitelist jail with actionban = ACCEPT. > And failregex = good request. > So if user take good req it added to whitelist. And for next bantime will > not rejected. > But: > User in fact added in 2 ipsets (whitelist and ban jail). > My whitelist awfully big (cause there is every good user in it). > F2b log has a lot of "already banned" lines (cause user allowed with > whitelist but can send bad req). > > So I'm in searching some like IP reputation. > > IP req matched 2 times as fail, and 5 times as good. Summ is +3. Ok > IP req matched 10 times as fail and 0 as good. Summ -10. Ban. > > чт, 18 авг. 2022 г., 19:23 Philip Clarke <n...@bouncing.org>: > >> Have you considered doing port knocking for your users? They point web >> browser to a location, it registers the request, that ip is given a pass >> for fail2ban or iptables. A simple listening script would suffice, either >> implementing an “Unban” if locked out or possibly some genius with iptables >> could skip the whole thing and code it in a one liner :) >> >> On 18 Aug 2022, at 10:33, Denis <d...@oxip.me> wrote: >> >> Hello. >> >> Unfortunately users has dynamic IPs and there are a lot of users. I can't >> manually add every one. >> On 16.08.2022 23:39, Roman Pikalo wrote: >> >> One of options would be to use "ignoreip" in your jail configuration to >> ignore certain IP-s or even subnets. Of course that means that have that IP >> list. >> >> ----- >> Roman >> >> >> On Mon, Aug 15, 2022 at 11:04 AM Denis <d...@oxip.me> wrote: >> >>> Hello. >>> >>> I configured f2b for strict enough policy. >>> >>> Some normal users can banned with false positive. >>> >>> Is it possible to skip banning if user has good requests for findtime? >>> (not lines with ignoreregex but add IP's reputation) >>> >>> Or decrease IP's bad count if it get good req? (goodregex?) >>> >>> >>> >>> >>> >>> _______________________________________________ >>> Fail2ban-users mailing list >>> Fail2ban-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >>> >> >> >> [image: Linkedin icon] <https://www.linkedin.com/company/funderbeam> [image: >> Twitter icon] <https://twitter.com/funderbeam> [image: Facebook icon] >> <https://www.facebook.com/Funderbeam> [image: Youtube icon] >> <https://www.youtube.com/channel/UCzJk98eNyBTBr0CsT_YTlcg?sub_confirmation=1> >> >> The Global Funding and Trading Platform of private companies. >> >> Copenhagen London Singapore Tallinn Zagreb >> >> www.funderbeam.com >> >> _______________________________________________ >> Fail2ban-users mailing list >> Fail2ban-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >> >> >> _______________________________________________ > Fail2ban-users mailing list > Fail2ban-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > -- <https://www.linkedin.com/company/funderbeam> <https://twitter.com/funderbeam> <https://www.facebook.com/Funderbeam> <https://www.youtube.com/channel/UCzJk98eNyBTBr0CsT_YTlcg?sub_confirmation=1> The Global Funding and Trading Platform of private companies. Copenhagen London Singapore Tallinn Zagreb www.funderbeam.com <https://www.funderbeam.com/>
_______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
