Re: [Fail2ban-users] Skip banning if user has good requests

Tue, 23 Aug 2022 20:40:40 -0700 

Hello.
Now fail2ban counts failregex and adds +1 for every matched line. It already stores IP, count, time. 

As I think if f2b has goodregex with -1 from the same counter it helps me.



Thanks for idea about add more headers in logs! I'll try skip with 
ignoreregex by more specific headers.



On 19.08.2022 14:25, Roman Pikalo wrote:

Hi Denis,

> So I'm in searching some like IP reputation.


That idea crossed my mind so many times. But then you would have to 
process all your "findings" with your reputation score logic and then 
let the fail2ban to know what to do: ban or whitelist. With every 
request you will be recalculating the score of all the IP that just 
sent a request. Under high load that might an issue.
Also, once implementing that kind of reputation scoring system might 
not be so challenging as making sure it works as expected. I think it 
will not that that much time for the attacker to figure out how to 
make their way to good users list.



Have you tried looking (or adding if you can) in your logs something 
more definitive and more specific to your application (eg. http 
headers: filter by http_status/app_version/session_id etc)?
As in if you send a request without app_version header, or status is 
444, or session_id is missing then ban on first appearance.


Bregs,

Roman




On Thu, Aug 18, 2022 at 8:00 PM Denis <d...@oxip.me 
<mailto:d...@oxip.me>> wrote:


    Hello.

    Yes. Port knocking logic is too close I need.
    Now I do virtual-whitelist jail with actionban = ACCEPT.
    And failregex = good request.
    So if user take good req it added to whitelist. And for next
    bantime will not rejected.
    But:
    User in fact added in 2 ipsets (whitelist and ban jail).
    My whitelist awfully big (cause there is every good user in it).
    F2b log has a lot of "already banned" lines (cause user allowed
    with whitelist but can send bad req).

    So I'm in searching some like IP reputation.

    IP req matched 2 times as fail, and 5 times as good. Summ is +3. Ok
    IP req matched 10 times as fail and 0 as good. Summ -10. Ban.

    чт, 18 авг. 2022 г., 19:23 Philip Clarke <n...@bouncing.org
    <mailto:n...@bouncing.org>>:

        Have you considered doing port knocking for your users? They
        point web browser to a location, it registers the request,
        that ip is given a pass for fail2ban or iptables. A simple
        listening script would suffice, either implementing an “Unban”
        if locked out or possibly some genius with iptables could skip
        the whole thing and code it in a one liner :)


        On 18 Aug 2022, at 10:33, Denis <d...@oxip.me
        <mailto:d...@oxip.me>> wrote:

        Hello.

        Unfortunately users has dynamic IPs and there are a lot of
        users. I can't manually add every one.

        On 16.08.2022 23:39, Roman Pikalo wrote:

        One of options would be to use "ignoreip" in your jail
        configuration to ignore certain IP-s or even subnets. Of
        course that means that have that IP list.

        -----
        Roman


        On Mon, Aug 15, 2022 at 11:04 AM Denis <d...@oxip.me
        <mailto:d...@oxip.me>> wrote:

            Hello.

            I configured f2b for strict enough policy.

            Some normal users can banned with false positive.

            Is it possible to skip banning if user has good requests
            for findtime?
            (not lines with ignoreregex but  add IP's reputation)

            Or decrease IP's bad count if it get good req? (goodregex?)





            _______________________________________________
            Fail2ban-users mailing list
            Fail2ban-users@lists.sourceforge.net
            <mailto:Fail2ban-users@lists.sourceforge.net>
            https://lists.sourceforge.net/lists/listinfo/fail2ban-users



                
        Linkedin icon <https://www.linkedin.com/company/funderbeam>
        Twitter icon <https://twitter.com/funderbeam>     Facebook icon
        <https://www.facebook.com/Funderbeam>     Youtube icon
        
<https://www.youtube.com/channel/UCzJk98eNyBTBr0CsT_YTlcg?sub_confirmation=1>
                

        The Global Funding and Trading Platform of private companies.

        Copenhagen London Singapore Tallinn Zagreb

        www.funderbeam.com <https://www.funderbeam.com/>


        _______________________________________________
        Fail2ban-users mailing list
        Fail2ban-users@lists.sourceforge.net
        <mailto:Fail2ban-users@lists.sourceforge.net>
        https://lists.sourceforge.net/lists/listinfo/fail2ban-users


    _______________________________________________
    Fail2ban-users mailing list
    Fail2ban-users@lists.sourceforge.net
    <mailto:Fail2ban-users@lists.sourceforge.net>
    https://lists.sourceforge.net/lists/listinfo/fail2ban-users



        

Linkedin icon <https://www.linkedin.com/company/funderbeam> 	Twitter 
icon <https://twitter.com/funderbeam> 	Facebook icon 
<https://www.facebook.com/Funderbeam> 	Youtube icon 
<https://www.youtube.com/channel/UCzJk98eNyBTBr0CsT_YTlcg?sub_confirmation=1> 
	


The Global Funding and Trading Platform of private companies.

Copenhagen London Singapore Tallinn Zagreb

www.funderbeam.com <https://www.funderbeam.com/>


_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users























					Reply via email to