This is probably more of a question for UFW/IPTables, or honestly I may be trying to do something not possible...
I am trying to add a little security to a radius server. I'm able to see the <HOST> in the log entries, but the offending <HOST> isn't the actual source. i.e. I have a server at 10.1.1.2, I have a network appliance at 10.20.3.4, I have a user/workstation attempting a login from 10.5.1.120. The log entry will show the login ok/failure/etc from client 10.5.1.120, but the actual source of the packet is 10.20.3.4. In freeradius terms, I'm looking to block/ban/prevent the Calling-Station-Id. The NAS-IP-Address is what is showing as the source. An example of a tcpdump showing the calling station vs nas ip: IP (tos 0x0, ttl 251, id 12176, offset 0, flags [none], proto UDP (17), length 105) 10.20.3.4.45220 > 10.1.1.2.1812: RADIUS, length: 77 Access-Request (1), id: 0xf3, Authenticator: 98....c9ed User-Name Attribute (1), length: 7, Value: qwest User-Password Attribute (2), length: 18, Value: NAS-Port Attribute (5), length: 6, Value: 7 Calling-Station-Id Attribute (31), length: 14, Value: 10.5.1.120 Service-Type Attribute (6), length: 6, Value: Login NAS-IP-Address Attribute (4), length: 6, Value: 10.20.3.4 So, if f2b bans 10.5.1.120, it doesn't prevent that IP from attempting login at 10.20.3.4, but also doesn't prevent 10.1.1.2 from trying to process the request. But if I block 10.20.3.4, which would prevent a login attempt, it also blocks authorized attempts since they "originate" from the same IP, though the client making the call isn't the same. The failregex that matches: Auth: \(\d+\) Login incorrect \(.*\): \[.*\] \(.* port \d+ cli <HOST>\).*$ Which matches/bans the calling-station-id, but the resulting IPTables rule doesn't catch that IP coming in. Is this possible? Brantley Padgett The question is not how far. The question is, do you possess the constitution, the depth of faith, to go as far as is needed? -Boondock Saints _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
