Glenn English grabbed a keyboard and wrote:
>
> On Nov 18, 2012, at 2:00 PM, David Guntner wrote:
>> Assuming I could get a meaningful log entry with each bad attempt,
>> I could have fail2ban act - but that's still pretty useless since
>> as far as I understand it; telling iptables to DROP a given IP
>> address doesn't do anything to a connection that's already open.
>> Someone please feel free to correct me if my understanding on that
>> is not correct. :-)
>
> I use Linux and IPtables and fail2ban, and the way it seems to work
> here is: There's an IPtables rule that checks for and accepts
> established connection packets, but fail2ban inserts its block chain
> in front of that, at the very top of the Input chain. So a packet
> from a wayward IP is blocked/dropped if fail2ban doesn't like it,
> before the fact that this is an established connection is discovered.
> So if you had f2b watching for bad logins, I think you'd get exactly
> what you want, assuming you could get meaningful log entries. (I
> wrote my IPtables packet filter, though, so others are almost
> certainly different.)
Without seeing your config files, I have no idea how you have it set up.
I've been running it for years on my existing system and set it up
according to the instructions. Filters config files are set up for
particular ports like this, and fail2ban injects its own chains into the
main INPUT chain in iptables when it starts.
On that existing system, my iptables currently looks like this:
> # iptables --list
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> fail2ban-ftp tcp -- anywhere anywhere tcp dpt:ftp
> fail2ban-postfix tcp -- anywhere anywhere tcp dpt:smtp
> fail2ban-pop3 tcp -- anywhere anywhere tcp dpt:pop3
> fail2ban-imap tcp -- anywhere anywhere tcp dpt:imap2
> fail2ban-sasl tcp -- anywhere anywhere tcp dpt:smtp
> fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain fail2ban-SSH (1 references)
> target prot opt source destination
> RETURN all -- anywhere anywhere
>
> Chain fail2ban-ftp (1 references)
> target prot opt source destination
> RETURN all -- anywhere anywhere
>
> Chain fail2ban-imap (1 references)
> target prot opt source destination
> RETURN all -- anywhere anywhere
>
> Chain fail2ban-pop3 (1 references)
> target prot opt source destination
> RETURN all -- anywhere anywhere
>
> Chain fail2ban-postfix (1 references)
> target prot opt source destination
> RETURN all -- anywhere anywhere
>
> Chain fail2ban-sasl (1 references)
> target prot opt source destination
> DROP all -- rrcs-50-84-168-222.sw.biz.rr.com anywhere
> DROP all -- firstt3.lnk.telstra.net anywhere
> DROP all -- wsip-24-249-159-209.tu.ok.cox.net anywhere
> DROP all -- 64.52.155.10 anywhere
> DROP all -- mail.ifsi.com anywhere
> DROP all -- c-98-211-191-10.hsd1.fl.comcast.net anywhere
> DROP all -- 23-25-216-129-static.hfc.comcastbusiness.net anywhere
> DROP all -- host18-100-static.241-95-b.business.telecomitalia.it anywhere
> DROP all -- static-149-136-145-212.ipcom.comunitel.net anywhere
> DROP all -- 173-162-251-81-NewEngland.hfc.comcastbusiness.net anywhere
> DROP all -- 9.Red-80-39-125.staticIP.rima-tde.net anywhere
> DROP all -- 74.11.126.243 anywhere
> DROP all -- adsl-068-213-103-027.sip.jan.bellsouth.net anywhere
> DROP all -- mail.jccyofrockland.org anywhere
> DROP all -- adsl-108-71-19-30.dsl.hstntx.sbcglobal.net anywhere
> DROP all -- 50.121.152.110 anywhere
> DROP all -- 208-53-75-36.static.chico.ca.digitalpath.net anywhere
> DROP all -- wsip-98-189-122-23.oc.oc.cox.net anywhere
> DROP all -- tollgate123.demon.co.uk anywhere
> DROP all -- static-31-84-61-95.ipcom.comunitel.net anywhere
> DROP all -- net-93-64-210-123.cust.dsl.vodafone.it anywhere
> DROP all -- 75-149-2-246-Pennsylvania.hfc.comcastbusiness.net anywhere
> DROP all -- 39.Red-79-144-62.dynamicIP.rima-tde.net anywhere
> DROP all -- mail2.servicesfuneraires.fr anywhere
> DROP all -- 75-151-109-166-Washington.hfc.comcastbusiness.net anywhere
> DROP all -- 72.Red-80-37-10.staticIP.rima-tde.net anywhere
> DROP all -- sacrtt6.lnk.telstra.net anywhere
> DROP all -- 70.43.109.131.nw.nuvox.net anywhere
> DROP all -- 74-84-111-214.client.mchsi.com anywhere
> DROP all -- rrcs-24-106-174-74.se.biz.rr.com anywhere
> DROP all -- 23-24-12-243-static.hfc.comcastbusiness.net anywhere
> DROP all -- CPE-120-146-193-153.static.vic.bigpond.net.au anywhere
> DROP all -- 216.1.42.19 anywhere
> DROP all -- static-50-39-90-242.bvtn.or.frontiernet.net anywhere
> DROP all -- mail.stratcoglobal.com anywhere
> DROP all -- 89-119-220-57-static.albacom.net anywhere
> DROP all -- ool-4b7fecc2.static.optonline.net anywhere
> DROP all -- 93-63-6-214.ip25.fastwebnet.it anywhere
> DROP all -- 66.64.240.218.nw.nuvox.net anywhere
> RETURN all -- anywhere anywhere
On a side note: Yea, for some reason, the last couple of days my system
has been a "let's try to break in via SASL" magnet. Since I don't
really use that, I finally decided to just turn that feature off in
Postfix for right now. The entries above will disappear with time as
they expire in fail2ban.
Anyway, the above demonstrates how it function: You will note that it
routes traffic through its various chains based on what port the
incoming traffic is going to (ftp, pop3, ssh, etc.), as shown by the
"dpt:" entries at the top. In the above example, the fail2ban-sasl
chain is filtering incoming traffic on the SMTP port through it.
There's a SASL filter rule that watches the syslog for a particular
string that identifies it as an invalid SASL login. When it sees the
number of attempts that it's configured to allow, it takes the IP
address information from that log entry and then sticks a DROP rule in
its fail2ban-sasl chain. But that is *only* controlling incoming
traffic on that one particular port. That IP address can connect via
any other port; it's only being blocked from port 25. I've tested this
behavior and can confirm that it works that way.
I realize that a lot of the above you probably already know about; I was
only illustrating that fail2ban doesn't just de facto block everything
when a filter rule is tripped. At least, not as set up "out of the
box." :-)
You may have noticed that there are two chains that are routing SMTP
traffic ("dpt:smtp") - that's 'cause I've got two filters that are
routing for monitoring two different items. If either of them trip;
port 25 will be blocked for a while. :-)
> OTOH, some of the bad attempts I get don't log the remote IP, so they
> aren't meaningful to f2b and don't get blocked...
Yup. :-)
--Dave
Attachment:
signature.asc
Description: OpenPGP digital signature