On 20 Aug 2022, at 19:12, Graham B.
<fail2...@chuckerytowers.plus.com> wrote:
Hello Denis,
This is a shot in the dark - I do not know what your users are
connecting
to, or how they are authenticated.
However, in my experience, some dynamic I.P. addresses change
rapidly
(changing in hours), while many persist for longer times (day,
weeks, months).
If you can hook something like "sqlite" to your fail2ban
configuration, you
might maintain a database of tuples (I.P. address + account name +
the time
of the latest sighting) then consult that database for each
connecting
address, and updating user details in the database after
authentication. Old entries might be purged daily. Note that some
addresses might have more
than one account name (e.g. two people sharing a home).
This should help to remove the need for arithmetic mentioned by
Roman, since
many valid account names and known addresses should already be
held, and a
query for the I.P. address could suggest a known authentic account
name. Most authentic users should usually gain access rapidly,
with a low system load. First-time users, some authentic users,
and bogus users wait a little, with a
higher system load.
There may be an enhancement if the database tuples also include
verdict,
being one of {unknown | good | bad}, enabling caching of bad
sources, and
faster decisions.
Hoping this helps,
Graham
It was a tough school. Instead of a vaulting horse in the gym
they had a vaulting unicorn.
On Fri, 19 Aug 2022, Roman Pikalo via Fail2ban-users wrote:
Date: Fri, 19 Aug 2022 10:25:00
From: Roman Pikalo via Fail2ban-users
<fail2ban-users@lists.sourceforgenet>
Reply-To: Roman Pikalo <roman.pik...@funderbeam.com>
To: Denis <d...@oxip.me>
Cc: fail2ban-users@lists.sourceforge.net
Subject: Re: [Fail2ban-users] Skip banning if user has good
requests
Hi Denis,
So I'm in searching some like IP reputation.
That idea crossed my mind so many times. But then you would have
to process all your "findings" with your reputation score logic
and then let the fail2ban to know what to do: ban or whitelist.
With every request you will be recalculating the score of all
the IP that just sent a request. Under high load that might an
issue.
Also, once implementing that kind of reputation scoring system
might not be so challenging as making sure it works as expected.
I think it will not that that much time for the attacker to
figure out how to make their way to good users list.
Have you tried looking (or adding if you can) in your logs
something more definitive and more specific to your application
(eg.
http headers: filter by http_status/app_version/session_id
etc)?
As in if you send a request without app_version header, or
status is 444, or session_id is missing then ban on first
appearance.
Bregs,
Roman
On Thu, Aug 18, 2022 at 8:00 PM Denis <d...@oxip.me> wrote:
Hello.
Yes. Port knocking logic is too close I need.
Now I do virtual-whitelist jail with actionban = ACCEPT.
And failregex = good request.
So if user take good req it added to whitelist. And for next
bantime will not rejected.
But:
User in fact added in 2 ipsets (whitelist and ban jail).
My whitelist awfully big (cause there is every good user in
it).
F2b log has a lot of "already banned" lines (cause user allowed
with whitelist but can send bad req).
So I'm in searching some like IP reputation.
IP req matched 2 times as fail, and 5 times as good. Summ is +3.
Ok
IP req matched 10 times as fail and 0 as good. Summ -10. Ban.
чт, 18 авг. 2022 г., 19:23 Philip Clarke <n...@bouncing.org>:
Have you considered doing port knocking for your users?
They point web browser to a location, it registers the
request, that ip is given a pass for fail2ban or iptables.
A simple listening script would suffice, either
implementing an “Unban” if locked out or possibly some
genius with iptables could skip the whole thing and
code it in a one liner :)
On 18 Aug 2022, at 10:33, Denis <d...@oxip.me> wrote:
Hello.
Unfortunately users has dynamic IPs and there are a lot of
users. I can't manually add every one.
On 16.08.2022 23:39, Roman Pikalo wrote:
One of options would be to use "ignoreip" in your jail
configuration to ignore certain IP-s or
even subnets. Of course that means that have that IP list.
-----
Roman
On Mon, Aug 15, 2022 at 11:04 AM Denis <d...@oxip.me> wrote:
Hello.
I configured f2b for strict enough policy.
Some normal users can banned with false positive.
Is it possible to skip banning if user has good requests
for findtime?
(not lines with ignoreregex but add IP's reputation)
Or decrease IP's bad count if it get good req? (goodregex?)
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
[--- snipped ---]
<a href="http://english-1329209197.spampoison.com";>Get free spam
bait here.</a>
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
