heard of this before but looking for some "getting started" docs. I want to know more about what it will actually do before I let it loose on stuff like iptables.
ok .. I guess Alex and Dan are not seeing each others comments...
I was was replying to the comment about "failtoban"
re crawlers and traffic .. yes they do make up a big proportion of traffic these days but not all crawlers are intentionally nasty.
..but any crawler behaving like this one is certainly up to no good...
fail2ban is a good tool against many external attacks. The only precondition is that by the attack is generated an error in a log, and you are the admin of the firewall (or host.deny etc). What mistakes Fail2ban triggers a reaction from, you determine with simple rules. It is worthwhile in any case to deal with it as many different web services can be secured with it. On my system it runs since 2 years. Many predefined configs on wich you uncomment(activate) your personal triggers. Special triggers/reactions are simple to construct.
Example: "/var/log/messages" logs
Jul 1 02:49:24 lpmoeller sshd[9382]: Address 66.135.61.28 maps to cce-inc.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! Jul 1 02:49:26 lpmoeller sshd[9387]: Address 66.135.61.28 maps to cce-inc.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! Jul 1 02:49:27 lpmoeller sshd[9389]: Address 66.135.61.28 maps to cce-inc.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
fail2ban is a good tool against many external attacks. The only precondition is that by the attack is generated an error in a log, and you are the admin of the firewall (or host.deny etc). What mistakes Fail2ban triggers a reaction from, you determine with simple rules. It is worthwhile in any case to deal with it as many different web services can be secured with it.
On my system it runs since 2 years. Many predefined configs on wich you uncomment(activate) your personal triggers. Special triggers/reactions are simple to construct.
Example:
"/var/log/messages" logs
Jul 1 02:49:24 lpmoeller sshd[9382]: Address 66.135.61.28 maps to cce-inc.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Jul 1 02:49:26 lpmoeller sshd[9387]: Address 66.135.61.28 maps to cce-inc.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Jul 1 02:49:27 lpmoeller sshd[9389]: Address 66.135.61.28 maps to cce-inc.com, but this does not map back to the address - POS... show more
fail2ban is a good tool against many external attacks. The only precondition is that by the attack is generated an error in a log, and you are the admin of the firewall (or host.deny etc). What mistakes Fail2ban triggers a reaction from, you determine with simple rules. It is worthwhile in any case to deal with it as many different web services can be secured with it.
On my system it runs since 2 years. Many predefined configs on wich you uncomment(activate) your personal triggers. Special triggers/reactions are simple to construct.
Example:
"/var/log/messages" logs
Jul 1 02:49:24 lpmoeller sshd[9382]: Address 66.135.61.28 maps to cce-inc.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Jul 1 02:49:26 lpmoeller sshd[9387]: Address 66.135.61.28 maps to cce-inc.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Jul 1 02:49:27 lpmoeller sshd[9389]: Address 66.135.61.28 maps to cce-inc.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
and fail2ban makes
2012-07-01 02:49:29,191 fail2ban.actions: WARNING [ssh-iptables] Ban 66.135.61.28
