Two pc's:
1 - router 2 - logger
Situation: someone tries to bruteforce into a server, and the logger get's a log about it [e.g.: ssh login failed].
What's the best method to ban that ip [what is bruteforcig a server] what was logged on the logger? I need to ban the ip on the router pc.
How can i send the bad ip to the router, to ban it?
Just run a cronjob, and e.g.: scp the list of ip's from the logger to the router, then ban the ip from the list on the router pc?
Or is there any "offical" method for this?
I'm just asking for docs/howtos.. :\ to get started..
Thank you!
On Sat, Mar 20, 2010 at 5:17 PM, Vadkan Jozsef jozsi.avadkan@gmail.com wrote:
What's the best method to ban that ip [what is bruteforcig a server] what was logged on the logger? I need to ban the ip on the router pc.
http://www.fail2ban.org/wiki/index.php/Main_Page but you may have to run fail2ban on the server instead of on the logger.
kind regards/ldv
Larry Vaden wrote:
On Sat, Mar 20, 2010 at 5:17 PM, Vadkan Jozsef jozsi.avadkan@gmail.com wrote:
What's the best method to ban that ip [what is bruteforcig a server] what was logged on the logger? I need to ban the ip on the router pc.
http://www.fail2ban.org/wiki/index.php/Main_Page but you may have to run fail2ban on the server instead of on the logger.
kind regards/ldv
+1
you might also look at APF + BFD as it works as well. Both solutions are intended for the server and not for a remote host, however you could probably work around this with a small shell script.
This does beg the question, why are you wanting to ban the IP's on the router box as opposed to the machine being targeted? The whole point of a router is to route traffic, not enforce firewall policy. This would be better handled by a firewall of all things, be it a hardware appliance (ASA, PIX, Juniper HSC) or iptables on the machine itself. You might keep in mind that the more firewall rules you add to the router the slower the network will become as all packets have to be checked against all rules. Just my opinion ;)
On 3/20/2010 6:35 PM, Larry Brower wrote:
Larry Vaden wrote:
<snip>
+1
you might also look at APF + BFD as it works as well. Both solutions are intended for the server and not for a remote host, however you could probably work around this with a small shell script.
This does beg the question, why are you wanting to ban the IP's on the router box as opposed to the machine being targeted? The whole point of a router is to route traffic, not enforce firewall policy. This would be better handled by a firewall of all things, be it a hardware appliance (ASA, PIX, Juniper HSC) or iptables on the machine itself. You might keep in mind that the more firewall rules you add to the router the slower the network will become as all packets have to be checked against all rules. Just my opinion ;)
I'm rather fond of the apf + bfd [1] solution and use it regularly on RH and CentOS systems.
Both are available here but sadly no rpm(s) that I've found. Both are rather easy to deploy...the bfd part is simply a cron job telling bfd how frequently to scan for failed logins by service Service level failed attempts are configurable...all in all a nice set of utilities.
HTH, -Ray
On Mar 22, 2010, at 12:04 PM, Ray Leventhal wrote:
I'm rather fond of the apf + bfd [1] solution and use it regularly on RH and CentOS systems.
Both are available here but sadly no rpm(s) that I've found.
apf is available from RPMforge for CentOS 5.
-steve
-- If this were played upon a stage now, I could condemn it as an improbable fiction. - Fabian, Twelfth Night, III,v http://five.sentenc.es
Larry Vaden wrote:
On Sat, Mar 20, 2010 at 5:17 PM, Vadkan Jozsef jozsi.avadkan@gmail.com wrote:
What's the best method to ban that ip [what is bruteforcig a server] what was logged on the logger? I need to ban the ip on the router pc.
http://www.fail2ban.org/wiki/index.php/Main_Page but you may have to run fail2ban on the server instead of on the logger.
Fail2ban is of limited effectiveness against ever more common distributed attacks. Don't make it your only line of defense but rather combine it with other effective measures:
On Sat, Mar 20, 2010 at 05:24:34PM -0500, Larry Vaden wrote:
On Sat, Mar 20, 2010 at 5:17 PM, Vadkan Jozsef jozsi.avadkan@gmail.com wrote:
What's the best method to ban that ip [what is bruteforcig a server] what was logged on the logger? I need to ban the ip on the router pc.
http://www.fail2ban.org/wiki/index.php/Main_Page but you may have to run fail2ban on the server instead of on the logger.
You can forward a copy of the syslog messages to the router and instruct fail2ban to act upon them instead of the default ssh log.
Mihai
Mihai T. Lazarescu wrote:
On Sat, Mar 20, 2010 at 05:24:34PM -0500, Larry Vaden wrote:
On Sat, Mar 20, 2010 at 5:17 PM, Vadkan Jozsef jozsi.avadkan@gmail.com wrote:
What's the best method to ban that ip [what is bruteforcig a server] what was logged on the logger? I need to ban the ip on the router pc.
http://www.fail2ban.org/wiki/index.php/Main_Page but you may have to run fail2ban on the server instead of on the logger.
You can forward a copy of the syslog messages to the router and instruct fail2ban to act upon them instead of the default ssh log.
How about using a read-only NFS share of the log directory from the logger for fail2ban to read from the router?
-
Bowie Bailey -
Larry Brower -
Larry Vaden -
Mihai T. Lazarescu -
Ned Slider -
Ray Leventhal -
Steve Huff -
Vadkan Jozsef