Re: can we design a modified fail2ban ?

["J. Bakshi" <joydeep@infoservices.in>]

On 04/17/2010 09:31 PM, Alessandro Vesely wrote:
> On 16/Apr/10 09:28, Jan Engelhardt wrote:
>> On Friday 2010-04-16 05:57, J. Bakshi wrote:
>>>
>>> fail2ban is a popular application to prevent the brute-force attack
>>> against ssh and also against imap, pop3 etc.. But fail2ban actually
>>> blacklist the IP and this is what fail2ban has been designed for.
>>> Now a days [nowadays] we can design the same with iptables.
>>
>> fail2ban has the ability - if I read its own short description right
>> - to
>> already use various blocking methods, including not only /etc/hosts.deny
>> but also iptables.
>
> I don't think it uses netfilter, though. I've read it has to restart a
> daemon in order to unlist an IP --not sure it's still so for the
> current version.
>
>>> I wonder if iptables can
>>> provide more liberty to match IP as well as port combination so that we
>>> don't need to blacklist the IP but only block the attempts from the IP
>>> based on port. Say more than 3 ssh attempt from IP xxx.xxx.xxx.xxx is
>>> detected and no more ssh attempt from the same ip is no more possible
>>> but pop and imap still works. Is it really possible with iptables ? Any
>>> idea ?
>
> The fail2ban doubts I mentioned above are the raison d'etre of ipqbdb.
> It matches IPs for responses, but it leaves it up to the sysadmin to
> configure iptables. For example, an admin may call the NFQUEUE rule
> only for ssh, so as to live pop3 and imap alone; or call NFQUEUE with
> a different queue-num for different services, so as to check client
> IPs against different (Berkeley) databases. Ipqbdb gives a random
> answer for, say, between 2 and 4 attempts, similar to the way stockade
> works. See http://en.wikipedia.org/wiki/Stockade_%28software%29 for a
> short description of such rate limiting approach,
> https://savannah.nongnu.org/projects/ipqbdb/ for ipqbdb itself.
>
> If you are specifically interested in blocking ssh, follow the
> "DenyHosts" link from the "See also" section of that wikipedia page.
> -- 
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>


Hello,

thanks to all of you for your ideas and discussion. I am thank-full to
Richard Horton, who has shown me a great way to design iptables rules
which can work like fail2ban; not only that it can be extended in many
different ways for different purposes. Based on his suggestion I have
made these rule sets and it works as expected, i.e blocking ssh overflow
but the other services i.e. apache, imap etc.. are still accessible.

````````````
# mark packets

iptables -A INPUT -p tcp -m hashlimit --hashlimit-above 2/min
--hashlimit-burst 2 --hashlimit-name hashlimit -m state --state NEW \
-m tcp --dport $SSH_PORT -j MARK --set-xmark 0x1/0xffffffff

# blacklisting interval
iptables -A INPUT -p tcp --dport $SSH_PORT -m recent --rcheck --seconds
60 --name sshoverflow --rsource -j DROP

# blacklist port only based on IP
iptables -A INPUT -p tcp --dport $SSH_PORT -m mark --mark 0x1 -m recent \
--set --name sshoverflow --rsource -j DROP

# accept others
iptables -A INPUT -p tcp -m state --state NEW --dport $SSH_PORT -j ACCEPT

````````````

The only thing which is unusual here is the duration part. what ever
duration is defined here , practically becomes the double. I have tested
with *time* command with different values and every time I have found
that in practical duration becomes double than what is defined . Except
that the rule sets are working well.

Thanks

-- 

জয়দীপ বক্সী