On 16/Apr/10 09:28, Jan Engelhardt wrote:
On Friday 2010-04-16 05:57, J. Bakshi wrote:
fail2ban is a popular application to prevent the brute-force attack
against ssh and also against imap, pop3 etc.. But fail2ban actually
blacklist the IP and this is what fail2ban has been designed for.
Now a days [nowadays] we can design the same with iptables.
fail2ban has the ability - if I read its own short description right - to
already use various blocking methods, including not only /etc/hosts.deny
but also iptables.
I don't think it uses netfilter, though. I've read it has to restart a
daemon in order to unlist an IP --not sure it's still so for the
current version.
I wonder if iptables can
provide more liberty to match IP as well as port combination so that we
don't need to blacklist the IP but only block the attempts from the IP
based on port. Say more than 3 ssh attempt from IP xxx.xxx.xxx.xxx is
detected and no more ssh attempt from the same ip is no more possible
but pop and imap still works. Is it really possible with iptables ? Any
idea ?
The fail2ban doubts I mentioned above are the raison d'etre of ipqbdb.
It matches IPs for responses, but it leaves it up to the sysadmin to
configure iptables. For example, an admin may call the NFQUEUE rule
only for ssh, so as to live pop3 and imap alone; or call NFQUEUE with
a different queue-num for different services, so as to check client
IPs against different (Berkeley) databases. Ipqbdb gives a random
answer for, say, between 2 and 4 attempts, similar to the way stockade
works. See http://en.wikipedia.org/wiki/Stockade_%28software%29 for a
short description of such rate limiting approach,
https://savannah.nongnu.org/projects/ipqbdb/ for ipqbdb itself.
If you are specifically interested in blocking ssh, follow the
"DenyHosts" link from the "See also" section of that wikipedia page.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
