I recently set up F2B to monitor a freeradius server. I've already been admonished by the FR list for having it exposed to the open internet, but this is how it is for now.
So I wrote a regex and have it fairly well tuned to temporarily ban IPs using this wonderful tool. But I had the thought that if a malicious IP were trying certain usernames, could those be banned with different rules? I.E. we have field techs who log in, and maybe they mistype their username or whatever, but we would never use "haproxy" or "postgres" as a radius username. For those, I wondered if I could just do an instant ban? Log examples: Fri Sep 16 21:22:33 2022 : Auth: (2316721) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [wladis] (from client all_ipv4 port 4731 cli 104.236.52.94) Fri Sep 16 21:22:34 2022 : Error: (2316720) Discarding duplicate request from client all_ipv4 port 57935 - ID: 156 due to delayed response Fri Sep 16 21:22:34 2022 : Auth: (2316722) Login incorrect (mschap: FAILED: No NT/LM-Password. Cannot perform authentication): [root] (from client all_ipv4 port 0 cli 141.98.10.95) Fri Sep 16 21:22:34 2022 : Error: (2316722) Discarding duplicate request from client all_ipv4 port 41236 - ID: 157 due to delayed response Fri Sep 16 21:22:34 2022 : Auth: (2316723) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [haproxy] (from client all_ipv4 port 4729 cli 41.32.132.78) Fri Sep 16 21:22:35 2022 : Error: (2316722) Discarding duplicate request from client all_ipv4 port 41236 - ID: 157 due to delayed response Fri Sep 16 21:22:36 2022 : Auth: (2316724) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [postgres] (from client all_ipv4 port 0 cli 139.59.121.221) So I'm not sure if wldis is a legitimate username, but for sure we would not have root/haproxy/postgres as radius usernames. The regex I have currently that should pick those up: Auth: \(\d+\) Login incorrect \(.*Reject\): \[.+\] \(from client all_ipv4 port \d+ cli <HOST>\)$ The TL;DR: would it be a good idea to have specific matches for i.e. haproxy, and is it possible to have a different set of banning rules? Like would this be a good idea? regex: "Auth: \(\d+\) Login incorrect \(.*\): \[haproxy\] \(from client all_ipv4 port \d+ cli <HOST>\)$" And have it follow a more restrictive threshold? Instead of 5 matches, just 1 or 2, or something, but then instead of unbanning at 10 minutes or whatever, it stays on the list longer? Brantley The question is not how far. The question is, do you possess the constitution, the depth of faith, to go as far as is needed? -Boondock Saints _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
