Re: can we design a modified fail2ban ?

[Alessandro Vesely <vesely@tana.it>]

On 16/Apr/10 09:28, Jan Engelhardt wrote:
> On Friday 2010-04-16 05:57, J. Bakshi wrote:
>>
>>fail2ban is a popular application to prevent the brute-force attack
>>against ssh and also against imap, pop3 etc.. But fail2ban actually
>>blacklist the IP and this is what fail2ban has been designed for.
>>Now a days [nowadays] we can design the same with iptables.
>
> fail2ban has the ability - if I read its own short description right - to
> already use various blocking methods, including not only /etc/hosts.deny
> but also iptables.

I don't think it uses netfilter, though. I've read it has to restart a 
daemon in order to unlist an IP --not sure it's still so for the 
current version.

>>I wonder if iptables can
>>provide more liberty to match IP as well as port combination so that we
>>don't need to blacklist the IP but only block the attempts from the IP
>>based on port. Say more than 3 ssh attempt from IP xxx.xxx.xxx.xxx is
>>detected and no more ssh attempt from the same ip is no more possible
>>but pop and imap still works. Is it really possible with iptables ? Any
>>idea ?

The fail2ban doubts I mentioned above are the raison d'etre of ipqbdb. 
It matches IPs for responses, but it leaves it up to the sysadmin to 
configure iptables. For example, an admin may call the NFQUEUE rule 
only for ssh, so as to live pop3 and imap alone; or call NFQUEUE with 
a different queue-num for different services, so as to check client 
IPs against different (Berkeley) databases. Ipqbdb gives a random 
answer for, say, between 2 and 4 attempts, similar to the way stockade 
works. See http://en.wikipedia.org/wiki/Stockade_%28software%29 for a 
short description of such rate limiting approach, 
https://savannah.nongnu.org/projects/ipqbdb/ for ipqbdb itself.

If you are specifically interested in blocking ssh, follow the 
"DenyHosts" link from the "See also" section of that wikipedia page.