From: Political Gateway <politicalgateway@gm...> - 2012-04-08 02:08:08
On 4/6/2012 9:45 PM, Yaroslav Halchenko wrote:
>> 1- is there a book that anyone wrote on this great program out there for
>> me to buy?
> not that I am aware off -- there is bulk of information online though
> and in general fail2ban is quite simple ;-)
>> 2- If I use a different port for ssh, like 5454 I know fail2ban can help
>> with that, but what if I left port 22 open (but not let ssh listen to
>> it) but use fail2ban to ban anyone accessing it?
>> Perhaps open port 22 in iptables and then log any request from any ip
>> syn-log or whatever
>> Is that possible?
> yes ;-)
>> My reason is to kill script kiddies in their tracks.
>> I also have a virtual host machine with many VMs on it...If I open a few
>> ports on the host that I do not use, then I can ban ips on the host
>> machine, blocking them from even attempting to get to the VMs.
> yeah -- AFAIK it is a popular among some approach to catch and
> block such silly attacks, e.g. tripwire
> which I have used at some point. It should be quite simple to devise
> a simple action/jail which would setup such a tripwire chain which would
> log access to a selected collection of ports (otherwise unused) and
> trigger the ban.
> so we do not forget about this idea:
> contributions (pull requests) are very welcome!
Actually, looking into it more I think this might be simple..but I am
not an iptables expert...
cannot test til sunday, but here goes my logic.
(not correct syntax, just logic)
new chain- findhacker
the findhacker chain opens/accepts at port 22
then chain logs the ip with a text message 'hacked port 22' into the logs
then the chain drops port 22.
I feel this opens the port, accepts the ipaddress, then shuts it self
down. I imagine a limiter added somewhere to prevent abuse would be
great...and ta-da, its fail2ban.
Not sure if this would work as my literacy in iptables is pretty shoddy,
but I don't see why not. And this can be done for other ports I am not
Doing this at the virtual host level will really stop a lot going into
the virtual machines too.
what do you think?