[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ale] Configuring iptables in Slack-12.0

John Mills wrote:
> ALErs -
> Naturally '/var/log/messages' reports the usual semi-continuous meteor 
> shower of brute-force login attempts. (One early rule will clearly be 
> dropping packets from a given IP after some small number of login failures 
> within a few seconds!)

If you haven't heard of it, check out Fail2ban.

"Fail2Ban's main function is to block selected IP addresses that may 
belong to hosts that are trying to breach the system's security. It 
determines the hosts to be blocked by monitoring log files (e.g. 
/var/log/pwdfail, /var/log/auth.log, etc) and bans any host IP that 
makes too many login attempts or performs any other unwanted action 
within a time frame defined by the administrator. Fail2ban is typically 
set up to unban a blocked host within a certain period, so as to not 
"lock out" any genuine connections that may have been temporarily 
misconfigured. However, an unban time of several minutes is usually 
enough to stop a network connection being flooded by malicious 
connections, as well as reducing the likelihood of a successful 
dictionary attack.

Fail2ban can perform multiple actions whenever an abusive IP is 
detected: update Netfilter/iptables firewall rules, or alternatively TCP 
Wrappers' hosts.deny table, to reject an abuser's IP address; email 
notifications; or any user-defined action that can be carried out by a 
Python script.

The standard configuration ships with filters for Apache, sshd, vsftpd, 
qmail, Postfix and Courier Mail Server. Filters are defined by Python 
regexes, which may be conveniently customised by an administrator 
familiar with regular expressions. A combination of a filter and an 
action is known as a "jail", and is thus what allows a malicious host to 
be blocked from accessing defined network services. As well as the 
examples that are distributed with the software, a "jail" may be created 
for any network-facing process that creates a log file of access attempts."