I created a filter and verified it with fail2ban-regex against actual lines in my log and it works. During restarts of fail2ban, only some previous ip's get banned immediately whereas some need a reoccurrence despite the jail's config specification of maxretry and findtime suggesting the entries mandate blocking.
I'd assume the behavior after a restart is noe way if it weren't for the seemingly random immediate notification of blocks being different?
Anyone with experience using fail2ban know anything about this?
Thanks, jlc
On Mon, 2010-08-09 at 00:38 +0000, Joseph L. Casale wrote:
I created a filter and verified it with fail2ban-regex against actual lines in my log and it works. During restarts of fail2ban, only some previous ip's get banned immediately whereas some need a reoccurrence despite the jail's config specification of maxretry and findtime suggesting the entries mandate blocking.
I'd assume the behavior after a restart is noe way if it weren't for the seemingly random immediate notification of blocks being different?
Anyone with experience using fail2ban know anything about this?
Thanks, jlc
--- Stop it at the Edge Router not the machine. Adding layers of security become problems like you are getting. Ban the ip block with iptables.
John
Stop it at the Edge Router not the machine.
Fair enough, but now I have to manually scour the logs and maintain a dynamic block list?
Adding layers of security become problems like you are getting.
I agree, and if my edge router had the functionality to inspect http requests I would:)
Ban the ip block with iptables.
? That's what fail2ban is setup to do, as the email suggested its not restoring bans correctly on restarts.
On Mon, 2010-08-09 at 13:58 +0000, Joseph L. Casale wrote:
? That's what fail2ban is setup to do, as the email suggested its not restoring bans correctly on restarts.
---
http://www.fail2ban.org/wiki/index.php/Fail2ban:Community_Portal "Question about persistant IP bans over restart"
I think you need to adapt the example to CentOS/RH
John
http://www.fail2ban.org/wiki/index.php/Fail2ban:Community_Portal "Question about persistant IP bans over restart"
I think you need to adapt the example to CentOS/RH
Yeah, I saw that one and implemented it. I think I have to rewrite the action scripts my jails use. The odd part is the initial parsing behavior on a real restart such as a reboot, it parses the logs and only catches some of the total potential hosts that can trigger the ban. Prolly just a bug...
Really, unless your ban time is shorter than your logrotate, or you configure it to read some of the rotated logs there is a problem with maintaining the banlist on restarts if you don't do as the orig script does and del the iptables rules when exiting. If the process sh!ts the bed you still have an issue which wouldn't get cleared up until the next restart, but with the parsing issue you're left with an incomplete ruleset:/
Anyone know of a more elaborate app that does what fail2ban does but maintains a better state inbetween restarts?
Thanks! jlc
On Mon, 2010-08-09 at 15:29 +0000, Joseph L. Casale wrote:
http://www.fail2ban.org/wiki/index.php/Fail2ban:Community_Portal "Question about persistant IP bans over restart"
I think you need to adapt the example to CentOS/RH
Yeah, I saw that one and implemented it. I think I have to rewrite the action scripts my jails use. The odd part is the initial parsing behavior on a real restart such as a reboot, it parses the logs and only catches some of the total potential hosts that can trigger the ban. Prolly just a bug...
Really, unless your ban time is shorter than your logrotate, or you configure it to read some of the rotated logs there is a problem with maintaining the banlist on restarts if you don't do as the orig script does and del the iptables rules when exiting. If the process sh!ts the bed you still have an issue which wouldn't get cleared up until the next restart, but with the parsing issue you're left with an incomplete ruleset:/
Anyone know of a more elaborate app that does what fail2ban does but maintains a better state inbetween restarts?
--- Yea you seem to be right as that is what I got also and threw it in the trash can.
I'm not telling you what to do that is your business but I say utilize what is in the OS itself to do it. You can do a shell script to go through the iptables logs and get the bad ips have it add to iptables it self then iptables-save. A lot less in size as compared to f2b also. Or block all networks like china,japan,india and so on. Can get these from ICANN.
Your better off at doing this at the core router level as it can be done. As in blocking whole networks. Just thinking a buffer overflow could trigger a clean log of f2b ips. I think it's in the layering of complexity that will get you in the end. A lot of log writing will eventually kill the machine. Iptables can it self log at a rate of 100 - a burst of 150 TPS on a 10K Mirrored Array bringing it to it's knees. That is logging MulticastDNS
John
On Mon, 2010-08-09 at 16:05 +0000, Joseph L. Casale wrote:
Or block all networks like china,japan,india and so on. Can get these from ICANN.
Actually. that might just be enough, I know this site won't need access from other that NA addresses which is an easy rule to build permanently.
--- Plus when that fails you need a backup. So this is for Apache Yes/no? Iptables just went into cardiac arrest! Is currently getting nitroglycerin. Apache is still getting hammered?
John
On Mon, 2010-08-09 at 12:12 -0400, JohnS wrote:
On Mon, 2010-08-09 at 16:05 +0000, Joseph L. Casale wrote:
Or block all networks like china,japan,india and so on. Can get these from ICANN.
Actually. that might just be enough, I know this site won't need access from other that NA addresses which is an easy rule to build permanently.
Plus when that fails you need a backup. So this is for Apache Yes/no? Iptables just went into cardiac arrest! Is currently getting nitroglycerin. Apache is still getting hammered?
John
--- I meant to say IANA in my other reply but said ICANN sorry for that. You don't need to report no one yet. http://www.iana.org/numbers/
John
-
JohnS -
Joseph L. Casale