From: Josu L. <jos...@gm...> - 2010-06-26 12:44:28
|
Hello everybody, I am new on this mail-list. I have a Debian server on my LAN, I use fail2ban to block some illegal logins to SHH, web, etc. It works great. I use to block the IP on the server. But, is possible to block those IP on the router? I use OpenWRT OS on the router, it use iptables and I can install shorewall, it would be great to send a message from the server to the router to block those IPs, is possible? Thanks for all and best regards. -- Josu Lazkano |
From: Arturo 'B. B. <bu...@bu...> - 2010-06-26 12:51:13
|
On 06/26/2010 09:44 AM, Josu Lazkano wrote: > I use OpenWRT OS on the router, it use iptables and I can install > shorewall, it would be great to send a message from the server to the > router to block those IPs, is possible? I'm sure you could script it up somehow, yeah! Sounds like a fun project ;) -- Arturo "Buanzo" Busleiman Independent Linux and Security Consultant - OWASP - SANS - OISSG http://www.buanzo.com.ar/pro/eng.html |
From: Josu L. <jos...@gm...> - 2010-06-26 13:24:38
|
I am not any expert scripting on iptables, I just want to know if someone has any config like this. Other option will be that the router read the server logs and install fail2ban on the reouter, but I think the first option will be better. Kind regards. 2010/6/26 Arturo 'Buanzo' Busleiman <bu...@bu...>: > On 06/26/2010 09:44 AM, Josu Lazkano wrote: >> I use OpenWRT OS on the router, it use iptables and I can install >> shorewall, it would be great to send a message from the server to the >> router to block those IPs, is possible? > > I'm sure you could script it up somehow, yeah! Sounds like a fun project ;) > > -- > Arturo "Buanzo" Busleiman > Independent Linux and Security Consultant - OWASP - SANS - OISSG > http://www.buanzo.com.ar/pro/eng.html > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Sprint > What will you do first with EVO, the first 4G phone? > Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > -- Josu Lazkano |
From: René B. <rb...@ca...> - 2010-06-26 15:07:15
|
Josu Lazkano wrote: > I am not any expert scripting on iptables, I just want to know if > someone has any config like this. I don't have a config like that, but it is very easy with the right tools: moBlock in the router and you just have to synchronize a list of your banned IPs. The list would have to be in a special format, the one used by moBlock, which is very simple. There probably are other tools like moBlock, that's the one I use with iptables on a Gentoo server. -- René Berber |
From: Laurent C. <lc...@un...> - 2010-06-26 21:01:35
|
On 26/06/2010 14:44, Josu Lazkano wrote: > Hello everybody, I am new on this mail-list. > > I have a Debian server on my LAN, I use fail2ban to block some illegal > logins to SHH, web, etc. It works great. I use to block the IP on the > server. But, is possible to block those IP on the router? > > I use OpenWRT OS on the router, it use iptables and I can install > shorewall, it would be great to send a message from the server to the > router to block those IPs, is possible? > > Thanks for all and best regards. > Hi, Create a new action based on: iptables-multiport.conf Basically ssh $host "iptables....." Laurent |
From: Josu L. <jos...@gm...> - 2010-06-26 21:19:22
|
Thanks!!! It looks very good, I will try it. I will copy /etc/fail2ban/action.d/iptables-multiport.conf to /etc/fail2ban/action.d/iptables-multiport-remote.conf And change all action this way: actionban = iptables -I fail2ban-... actionban = ssh root@192.168.1.1 iptables -I fail2ban-... I will config the router to connect with certificate. Thanks for all!!! 2010/6/26 Laurent CARON <lc...@un...>: > On 26/06/2010 14:44, Josu Lazkano wrote: >> >> Hello everybody, I am new on this mail-list. >> >> I have a Debian server on my LAN, I use fail2ban to block some illegal >> logins to SHH, web, etc. It works great. I use to block the IP on the >> server. But, is possible to block those IP on the router? >> >> I use OpenWRT OS on the router, it use iptables and I can install >> shorewall, it would be great to send a message from the server to the >> router to block those IPs, is possible? >> >> Thanks for all and best regards. >> > > Hi, > > Create a new action based on: > iptables-multiport.conf > > Basically ssh $host "iptables....." > > Laurent > -- Josu Lazkano |
From: René B. <rb...@ca...> - 2010-06-26 21:31:56
|
Josu Lazkano wrote: > It looks very good, I will try it. > > I will copy /etc/fail2ban/action.d/iptables-multiport.conf to > /etc/fail2ban/action.d/iptables-multiport-remote.conf You also need the initialization stuff in iptables.conf, i.e. you can't add rules before creating the iptables chain. -- René Berber |
From: Josu L. <jos...@gm...> - 2010-06-26 21:42:23
|
Sorry, I don't understand it. If I configured this on /etc/fail2ban/jail.conf: banaction = iptables-multiport-remote Which files I must configure on /etc/fail2ban/action.d? I am new on iptables, thanks for all your help. Kind regards. 2010/6/26 René Berber <rb...@ca...>: > Josu Lazkano wrote: > >> It looks very good, I will try it. >> >> I will copy /etc/fail2ban/action.d/iptables-multiport.conf to >> /etc/fail2ban/action.d/iptables-multiport-remote.conf > > You also need the initialization stuff in iptables.conf, i.e. you can't > add rules before creating the iptables chain. > -- > René Berber > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Sprint > What will you do first with EVO, the first 4G phone? > Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > -- Josu Lazkano |
From: René B. <rb...@ca...> - 2010-06-26 23:27:13
|
Josu Lazkano wrote: > Sorry, I don't understand it. > > If I configured this on /etc/fail2ban/jail.conf: > > banaction = iptables-multiport-remote > > Which files I must configure on /etc/fail2ban/action.d? Only the one you pointed out, I was wrong, I didn't see that the initial configuration is included (I expected it to be general for all the iptables actions but its not). The actionstart and actionstop are the configurations I was thinking about. In your message you only mentioned actionban, to be clear: you need all of them (actionstart, actionstop, actioncheck, actionban, actionunban). > I am new on iptables, thanks for all your help. > > Kind regards. > > 2010/6/26 René Berber <rb...@ca...>: >> Josu Lazkano wrote: >> >>> It looks very good, I will try it. >>> >>> I will copy /etc/fail2ban/action.d/iptables-multiport.conf to >>> /etc/fail2ban/action.d/iptables-multiport-remote.conf >> You also need the initialization stuff in iptables.conf, i.e. you can't >> add rules before creating the iptables chain. >> -- >> René Berber >> >> >> ------------------------------------------------------------------------------ >> This SF.net email is sponsored by Sprint >> What will you do first with EVO, the first 4G phone? >> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first >> _______________________________________________ >> Fail2ban-users mailing list >> Fai...@li... >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >> > > > -- René Berber |
From: Josu L. <jos...@gm...> - 2010-06-26 23:29:18
|
Ah! OK, perfect. I will try next week. Thanks for all. 2010/6/27 René Berber <rb...@ca...>: > Josu Lazkano wrote: > >> Sorry, I don't understand it. >> >> If I configured this on /etc/fail2ban/jail.conf: >> >> banaction = iptables-multiport-remote >> >> Which files I must configure on /etc/fail2ban/action.d? > > Only the one you pointed out, I was wrong, I didn't see that the initial > configuration is included (I expected it to be general for all the > iptables actions but its not). > > The actionstart and actionstop are the configurations I was thinking > about. In your message you only mentioned actionban, to be clear: you > need all of them (actionstart, actionstop, actioncheck, actionban, > actionunban). > >> I am new on iptables, thanks for all your help. >> >> Kind regards. >> >> 2010/6/26 René Berber <rb...@ca...>: >>> Josu Lazkano wrote: >>> >>>> It looks very good, I will try it. >>>> >>>> I will copy /etc/fail2ban/action.d/iptables-multiport.conf to >>>> /etc/fail2ban/action.d/iptables-multiport-remote.conf >>> You also need the initialization stuff in iptables.conf, i.e. you can't >>> add rules before creating the iptables chain. >>> -- >>> René Berber >>> >>> >>> ------------------------------------------------------------------------------ >>> This SF.net email is sponsored by Sprint >>> What will you do first with EVO, the first 4G phone? >>> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first >>> _______________________________________________ >>> Fail2ban-users mailing list >>> Fai...@li... >>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >>> >> >> >> > > > -- > René Berber > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Sprint > What will you do first with EVO, the first 4G phone? > Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > -- Josu Lazkano |