From: Daniel B. <dan...@in...> - 2013-06-20 12:15:43
|
On 20/06/13 20:30, Fabian Wenk wrote: > Hello Daniel > > On 18.06.2013 00:55, Daniel Black wrote: >> On 17/06/13 19:14, Fabian Wenk wrote: >> Thanks for this. I was thinking the same way when it was mentioned in >> #252 so I created https://github.com/fail2ban/fail2ban/issues/257 > > I just looked at #252, I did not realize that there is also > TEST-NET-2 (198.51.100.0/24) and TEST-NET-3 (203.0.113.0/24) for > the same purpose. They were not present in the old RFC-3330. > > With classless routing also 192.0.2.0/24 could be split into > several subnets, e.g. in 4 parts with each 64 addresses: > 192.0.2.0/26 (192.0.2.0 - 192.0.2.63), 192.0.2.64/26, > 192.0.2.128/26 and 192.0.2.192/26 > > But yes, maybe it is easier to spot things when also the first > part of the IP address is different. or the last. > So also using the two other > TEST-NET is useful in case of f2b. > >> Need to define a sets of: >> * injection IPs that shouldn't be detected > > Which are be listed in ignoreip? injection IPs are IPs in a form in a log file that have been injected by a user and shouldn't be detected. i.e. no such user=1.2.3.4 > >> * fail IPs >> * ban IPs > > What is the difference here? I guess 'ban IPs' does just depend > on how many counts (think maxretry) of 'fail IPs' have happen > during findtime. yep. Looking at some way to autoparse a log and have a set of fail tickets and ban tickets and no injection ips. > > So I guess we only need 2 different subnets, or do I miss something? not sure. haven't looked totally. see above. > > The only other thing I can think of, that the local system IP > address is different from the range listed in ignoreip. In some > log files also the local IP address is present. good. keep thinking. >> with the aim that once this convention is made we can run automated >> tests over all the filters. >> >> If you've got time to make a pull request on this I'd be really grateful. > > Do I understand this right, there are 2 things to do? First > define the purpose of the different IP address ranges and > document it. And second to modify the files in the testcases sub > folder accordingly? yes. > > I think this is something I should be able to do, I will put it > on to my ToDo list. So finally it is time that I should start > learning to use git a little more then just searching / > downloading stuff from github. :-) great. |