Re: Fwd: iptables and networking
- To: debian-user@lists.debian.org
- Subject: Re: Fwd: iptables and networking
- From: Kushal Kumaran <kushal.kumaran+debian@gmail.com>
- Date: Mon, 01 Jul 2013 11:45:42 +0530
- Message-id: <[🔎] 51d11e9f.e4d8420a.7b72.20fe@mx.google.com>
- In-reply-to: <51D08841.9040809@attglobal.net>
- References: <51C1F36D.7070108@fuckaround.org> <1371669370.5346.16.camel@pc-steven.LAN> <51C2DF42.2060204@fuckaround.org> <1371755872.7717.21.camel@pc-steven.LAN> <CAAKASGxwG5q2Ay5g=YByHmRJ0RJOV_vqXO_O2KixqdDJjb3cEg@mail.gmail.com> <CAMDu+mPx-AcvODdjEUM2_g2TtR=aKu0t23Dt+hqEJAf98Ade3w@mail.gmail.com> <51D02F83.6080605@plouf.fr.eu.org> <20130630155344.GH1481@uriel.asininetech.com> <51D07700.1090808@plouf.fr.eu.org> <51D08841.9040809@attglobal.net>
Jerry Stuckle <jstuckle@attglobal.net> writes:
>> <snipped previous context>
>
> OK, that makes a lot of sense. However, there are two problems with
> fail2ban, also. The first one is it requires an authentication failure.
> Port probing will not trigger it (but recent can). The second being
> it depends on log entries, which can be buffered. I have it monitoring
> my email (smtp/imap/pop3) ports. Even though it is set to trigger after
> two failures, I have seen as many as 50+ failures logged from the same
> ip address within seconds before fail2ban is triggered.
>
To address your first problem with fail2ban, the sshd-ddos filter for
fail2ban does not require authentication failures. sshd will log a
message of the form "Did not receive identification string from <IP>" if
someone makes a TCP connection and then disconnects without going
through the SSH handshake.
> I'm not so worried about SYN attacks from spoofed IP addresses as I am
> attempts to break in (despite several security measures). I want to
> shut them off ASAP.
>
--
regards,
kushal
Reply to: