extending fail2ban
Don Russell
fedora at drussell.dnsalias.com
Thu May 22 20:21:41 UTC 2008
On Thu, May 22, 2008 at 11:05 AM, Don Russell
<fedora at drussell.dnsalias.com> wrote:
> On Thu, May 22, 2008 at 10:13 AM, Brian Jedsen <jedsen at gmail.com> wrote:
>> On Thu, 22 May 2008 09:42:11 -0700
>> "Don Russell" <fedora at drussell.dnsalias.com> wrote:
>>
>>> I installed fail2 ban and it seems to do a nice job of reporting
>>> people knocking at my door and shutting them down temporarily.
>>>
>>> Is there any doc on how I could add other "intruder detection".... :-)
>>> man fail2ban and info fail2ban come up dry. :-(
>>> The fedora project page doesn't have anything on it either:
>>> https://admin.fedoraproject.org/pkgdb/packages/name/fail2ban
>>>
>>> i.e. I have an application I run via xinetd.
>>>
>>> If the client tries to connect with the incorrect protocol, I just
>>> respond with a terse "wrong protocol" message and exit.
>>>
>>> My xinet logs show the same IP address connecting with the wrong
>>> protocol over and over... They're obviously "up to no good" :-).
>>>
>>> How can I "teach" fail2ban to block those people too?
>>>
>>> It's not a password violation.. there's no password on it... it's
>>> meant for public consumption, but only if you are using the correct
>>> protocol.
>>>
>>> I could do my own "blocking", but I'd like to use the tools that are
>>> already there.
>>>
>>> Thanks,
>>>
>> You'd have to set up a new jail along with a new filter and an action.
>> You could probably reuse the action from any of the other fail2ban
>> rules. The hard part would finding the right regular expression that
>> matches these entries when fail2ban scans your logs.
>
> I was thinking more along the lines of creating log entries that
> fail2ban already recognizes...
>
> But, I don't think this will really have the desired effect anyway....
> right now fail2ban detects n number of unsuccessful login attempts and
> shuts them out. If I depend on log entries and fail2ban to scan them,
> that's not going to happen in real time.
>
> I was originally thinking if there were a way to tell fail2ban "here's
> an "event". If you get too many within x minutes, then lock them out
> for y minutes...
>
> i.e.
> So each time I detect that IP x.y.z.t connects to me with the wrong
> protocol, I send fail2ban a "message": "fail2ban --DoorKnocker
> x.y.z.t"
>
> and when fail2ban gets enough "Doorknocker" messages for the same IP,
> it blocks the IP the same way it does now for password attempts.
>
> hmmm, I should take this up with the fail2ban people.... that should
> be pretty easy to implement.
Ref: https://bugzilla.redhat.com/show_bug.cgi?id=448001
More information about the fedora-list
mailing list