On Sat, Aug 27, 2016 at 10:46:31AM -0400, Gene Heskett wrote:
> Greetings all;
>
> Is there someone familiar with fail2ban here?
I'm not an expert, but I do run it myself.
> I just installed it and started it with the installation defaults,
> which I do not know since the init script has no "dump" option.
Look at the default config file:
less /etc/fail2ban/fail2ban.conf
and the jail file:
less /etc/fail2ban/jail.conf
> However that bit of hungry guard dog only protects this machine,
> leaving the other 4 or sometimes 5 on my local network still open.
>
> So specifically, is there a way to broadcast the rules it applies to
> the other 4 or 5 machines, protecting them at the same time?
The way I would do that would be to install fail2ban on each machine,
and then periodically rsync the relevant config files from one
designated "master" copy to the other machines. You can probably set
that up as a cron job.
Actually, that's not really how I would do it. How I really would do it
would be to ensure that only one machine is directly exposed to the
internet. Let's say I had four machines, "groucho", "harpo", "chico" and
"zeppo". Plus, of course, my modem/router has a firewall. So I would
have:
(ASCII art best viewed in a fixed-width font, like Courier)
internet
|
|
firewall (router/modem)
|
|
groucho
|
+-------+-------+------------+
| | |
harpo chico zeppo
groucho, of course, also runs its own firewall, giving defence in depth:
even if router firewall is compromised, the firewall on groucho gives
some additional security. harpo, chico and zeppo don't have any firewall
because they're all part of my trusted LAN. (You may not trust your LAN,
in which case by all means put firewalls on everything.) Nothing can go
directly from the internet to the inner LAN, so groucho is the only
machine that needs to run fail2ban.
To SSH into chico, say, I would SSH into groucho, then SSH into chico.
There's probably a clever way of doing that in a single step with ssh
tunnelling, but that's beyond my level of expertise, so I just do it
with two steps.
> Or possibly broadcast them to the router, which is running dd-wrt, and
> which is considered one of the more bulletproof reflash's about. I may
> be lucky, but since I do have a port forward to allow my web server,
> there is a potential attack point.
Does your router have a writable storage area? Apart from its own
configuration, of course?
--
Steve
---------------------------------------------------------------------
To unsubscribe, e-mail: trinity-users-unsubscribe@xxxxxxxxxxxxxxxxxxxxxxxxxx
For additional commands, e-mail: trinity-users-help@xxxxxxxxxxxxxxxxxxxxxxxxxx
Read list messages on the web archive: http://trinity-users.pearsoncomputing.net/
Please remember not to top-post: http://trinity.pearsoncomputing.net/mailing_lists/#top-posting
