In other words: Which failregex cause the block of valid users?
Cheers,
tim
Am Sonntag, dem 21.08.2022 um 16:25 +0100 schrieb Philip Clarke via
Fail2ban-users:
> Surely the fundamental problem would be to work out why valid users
> are being blocked?
>
> > On 20 Aug 2022, at 19:12, Graham B.
> > <fail2...@chuckerytowers.plus.com> wrote:
> >
> > Hello Denis,
> >
> > This is a shot in the dark - I do not know what your users are
> > connecting
> > to, or how they are authenticated.
> >
> > However, in my experience, some dynamic I.P. addresses change
> > rapidly
> > (changing in hours), while many persist for longer times (day,
> > weeks, months).
> >
> > If you can hook something like "sqlite" to your fail2ban
> > configuration, you
> > might maintain a database of tuples (I.P. address + account name +
> > the time
> > of the latest sighting) then consult that database for each
> > connecting
> > address, and updating user details in the database after
> > authentication. Old entries might be purged daily. Note that some
> > addresses might have more
> > than one account name (e.g. two people sharing a home).
> >
> > This should help to remove the need for arithmetic mentioned by
> > Roman, since
> > many valid account names and known addresses should already be
> > held, and a
> > query for the I.P. address could suggest a known authentic account
> > name. Most authentic users should usually gain access rapidly,
> > with a low system load. First-time users, some authentic users,
> > and bogus users wait a little, with a
> > higher system load.
> >
> > There may be an enhancement if the database tuples also include
> > verdict,
> > being one of {unknown | good | bad}, enabling caching of bad
> > sources, and
> > faster decisions.
> >
> > Hoping this helps,
> > Graham
> > It was a tough school. Instead of a vaulting horse in the gym
> > they had a vaulting unicorn.
> >
> >
> >
> >
> > On Fri, 19 Aug 2022, Roman Pikalo via Fail2ban-users wrote:
> >
> > > Date: Fri, 19 Aug 2022 10:25:00
> > > From: Roman Pikalo via Fail2ban-users
> > > <fail2ban-users@lists.sourceforgenet>
> > > Reply-To: Roman Pikalo <roman.pik...@funderbeam.com>
> > > To: Denis <d...@oxip.me>
> > > Cc: fail2ban-users@lists.sourceforge.net
> > > Subject: Re: [Fail2ban-users] Skip banning if user has good
> > > requests
> > > Hi Denis,
> > > > So I'm in searching some like IP reputation.
> > > That idea crossed my mind so many times. But then you would have
> > > to process all your "findings" with your reputation score logic
> > > and then let the fail2ban to know what to do: ban or whitelist.
> > > With every request you will be recalculating the score of all
> > > the IP that just sent a request. Under high load that might an
> > > issue.
> > > Also, once implementing that kind of reputation scoring system
> > > might not be so challenging as making sure it works as expected.
> > > I think it will not that that much time for the attacker to
> > > figure out how to make their way to good users list.
> > > Have you tried looking (or adding if you can) in your logs
> > > something more definitive and more specific to your application
> > > (eg.
> > > http headers: filter by http_status/app_version/session_id
> > > etc)?
> > > As in if you send a request without app_version header, or
> > > status is 444, or session_id is missing then ban on first
> > > appearance.
> > > Bregs,
> > > Roman
> > > On Thu, Aug 18, 2022 at 8:00 PM Denis <d...@oxip.me> wrote:
> > > Hello.
> > > Yes. Port knocking logic is too close I need.
> > > Now I do virtual-whitelist jail with actionban = ACCEPT.
> > > And failregex = good request.
> > > So if user take good req it added to whitelist. And for next
> > > bantime will not rejected.
> > > But:
> > > User in fact added in 2 ipsets (whitelist and ban jail).
> > > My whitelist awfully big (cause there is every good user in
> > > it).
> > > F2b log has a lot of "already banned" lines (cause user allowed
> > > with whitelist but can send bad req).
> > > So I'm in searching some like IP reputation.
> > > IP req matched 2 times as fail, and 5 times as good. Summ is +3.
> > > Ok
> > > IP req matched 10 times as fail and 0 as good. Summ -10. Ban.
> > > чт, 18 авг. 2022 г., 19:23 Philip Clarke <n...@bouncing.org>:
> > > Have you considered doing port knocking for your users?
> > > They point web browser to a location, it registers the
> > > request, that ip is given a pass for fail2ban or iptables.
> > > A simple listening script would suffice, either
> > > implementing an “Unban” if locked out or possibly some
> > > genius with iptables could skip the whole thing and
> > > code it in a one liner :)
> > >
> > > On 18 Aug 2022, at 10:33, Denis <d...@oxip.me> wrote:
> > > Hello.
> > > Unfortunately users has dynamic IPs and there are a lot of
> > > users. I can't manually add every one.
> > > On 16.08.2022 23:39, Roman Pikalo wrote:
> > > One of options would be to use "ignoreip" in your jail
> > > configuration to ignore certain IP-s or
> > > even subnets. Of course that means that have that IP list.
> > > -----
> > > Roman
> > > On Mon, Aug 15, 2022 at 11:04 AM Denis <d...@oxip.me> wrote:
> > > Hello.
> > >
> > > I configured f2b for strict enough policy.
> > >
> > > Some normal users can banned with false positive.
> > >
> > > Is it possible to skip banning if user has good requests
> > > for findtime?
> > > (not lines with ignoreregex but add IP's reputation)
> > >
> > > Or decrease IP's bad count if it get good req? (goodregex?)
> > >
> > > _______________________________________________
> > > Fail2ban-users mailing list
> > > Fail2ban-users@lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> > [--- snipped ---]
> >
> > <a href="http://english-1329209197.spampoison.com";>Get free spam
> > bait here.</a>
> > _______________________________________________
> > Fail2ban-users mailing list
> > Fail2ban-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
> _______________________________________________
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
