Re: Fwd: iptables and networking

[Jerry Stuckle <jstuckle@attglobal.net>]

On 7/1/2013 2:15 AM, Kushal Kumaran wrote:
> Jerry Stuckle <jstuckle@attglobal.net> writes:
>
> > > <snipped previous context>
> >
> > OK, that makes a lot of sense.  However, there are two problems with
> > fail2ban, also.  The first one is it requires an authentication failure.
> >    Port probing will not trigger it (but recent can).  The second being
> > it depends on log entries, which can be buffered.  I have it monitoring
> > my email (smtp/imap/pop3) ports.  Even though it is set to trigger after
> > two failures, I have seen as many as 50+ failures logged from the same
> > ip address within seconds before fail2ban is triggered.
>
> To address your first problem with fail2ban, the sshd-ddos filter for
> fail2ban does not require authentication failures.  sshd will log a
> message of the form "Did not receive identification string from <IP>" if
> someone makes a TCP connection and then disconnects without going
> through the SSH handshake.

That's one message which can be logged (for SSH).  But the message (and 
where it is logged) is going to be dependent on the program/service 
running on the particular port (and sometimes the version of the 
program/service).

After all, SSH is not the only possible entry point.

> > I'm not so worried about SYN attacks from spoofed IP addresses as I am
> > attempts to break in (despite several security measures).  I want to
> > shut them off ASAP.