From: Vik K. <vip...@gm...> - 2014-04-02 17:19:37
|
My goal is not to get this committed to code-base. As I said before the setup most likely need refinement. I tested it and it works. I only wanted to share it as a resource where it could be edited by others which is why I just wanted to post it on wiki for others... How can I get a wiki account? Thanks On Wed, Apr 2, 2014 at 12:49 PM, Tom Hendrikx <to...@wh...> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > > The PR is ok, but the contents arentt (yet). The tests just make sure > that it's easy to spot errors. Your PR seems to miss a log snippet > that can be used to test if the jail actually works. Some > documentation on how things should look like: > https://github.com/fail2ban/fail2ban/blob/master/FILTERS > > If you run into issues, post the logs here, we'll help you. :) > > Tom > > On 02-04-14 17:33, Vik Killa wrote: > > Looks like my pull request failed...lol this is why i prefer just > > adding to wiki > > https://travis-ci.org/fail2ban/fail2ban/builds/22111129 > > > > > > > > On Wed, Apr 2, 2014 at 11:13 AM, Vik Killa <vip...@gm... > > <mailto:vip...@gm...>> wrote: > > > > > > Sorry, I thought i was replying to list.... I just signed up for > > github, i think i did it correctly... > > https://github.com/fail2ban/fail2ban/pull/677 > > > > Thanks > > > > > > On Wed, Apr 2, 2014 at 10:54 AM, Tom Hendrikx <to...@wh... > > <mailto:to...@wh...>> wrote: > > > > > > Hi Vik, > > > > please keep replies on-list... > > > > Just put it in github, it's easy to clean it up there. I'll take a > > look at it when it's there. But a wiki is no coding platform :) > > > > Tom > > > > On 04/02/2014 04:48 PM, Vik Killa wrote: > >> I think it could stand to be "cleaned up" as I am no expert > > with regex > >> and fail2ban... I'd rather post it on wiki and have someone else > >> push it to > > GIT after > >> it's been a bit refined... Thanks > >> > >> > >> > >> On Wed, Apr 2, 2014 at 10:40 AM, Tom Hendrikx > > <to...@wh... <mailto:to...@wh...> > >> <mailto:to...@wh... <mailto:to...@wh...>>> wrote: > >> > >> > >> Hi, > >> > >> You should put the jail/config stuff in a github pull > > request I think. > >> then everybody can actually use it:) > >> > >> Tom > >> > >> On 04/02/2014 04:36 PM, Vik Killa wrote: > >>> new version of BIND has RRL for rate-limiting. in any case, > >>> i've written a jail and configuration for > > bind9 that > >>> protects against DDoS attacks. I'd like to post it on wiki. Can > >>> someone help me with setting up an account on the > > fail2ban wiki? > >>> Thanks > >>> > >>> > >>> > >>> On Tue, Jul 24, 2012 at 3:38 AM, Fabian Wenk > > <fa...@we... <mailto:fa...@we...> > >> <mailto:fa...@we... <mailto:fa...@we...>> > >>> <mailto:fa...@we... <mailto:fa...@we...> > > <mailto:fa...@we... <mailto:fa...@we...>>>> wrote: > >>> > >>> Hello Yaroslav > >>> > >>> On 24.07.2012 00 <tel:24.07.2012%2000> > > <tel:24.07.2012%2000> > >> <tel:24.07.2012%2000>:57, Yaroslav Halchenko wrote: > >>>> just for the sake of my own education: am I not > > correct > >> that use of > >>>> DNSSEC practically implies use of TCP due to large > > packet > >> sizes, thus > >>>> actually an additional difficulty of spoofing, > > thus such an > >> attack > >>> would > >>>> be actually more difficult to accomplish... ? > >>> > >>> I do not know such details about DNSSEC, but without > > DNSSEC the > >>> DNS server does use TCP, if the answer is to large > > for one packet > >>> (1500 bytes including IP headers). In this case the > > server ask > >>> the resolver back through UDP to redo the request > > through TCP. > >>> But currently there are to many possible requests > > through UDP > >>> with just a small request, e.g. for ANY, which > > usually gives in > >>> proportion a much larger (but less then 1500 byte) > > answer. > >>> > >>> About 3 years ago there was an attack with IN NS > > requests for the > >>> . (root) zone, which BIND has answered, even when it > > was not > >>> configured for recursion from the outside world. In > > this case the > >>> request is very small, but the answer is quite large > > (but still > >>> fits into one packet) with all the hostnames and IP > > addresses for > >>> the root nameserver from a to m. > >>> > >>> If requests with a faked source IP address would be > > done from > >>> many systems (a bot net) to a lot of non-involved > > DNS server, > >>> then the attacked IP address will get a lot more > > data traffic > >>> with the answers from all this non-involved DNS > > server. So it is > >>> a good idea to detect such abuse and block it, so > > your DNS server > >>> will not be part of this attack. > >>> > >>> It is very sad, that many ISPs do not implement best > > practice and > >>> only allow outbound traffic with source IP address > > from their own > >>> and customer IP ranges. If they would do it, such > > attacks would > >>> not be possible, or at least limited to the same ISP. > >>> > >>> BIND does not have any kind of rate limiting, but > > probably this > >>> is for good, as a lot of things will break when a > > DNS server does > >>> not answer the requests from legitimate clients. The > > only thing > >>> which safely could be blocked are DNS requests for > > IN ANY (use a > >>> reasonable maxretry and short findtime), as there is > > no technical > >>> reason for such requests. As far as I know, this are > > only manual > >>> request done from humans to debug a domain. Also > > blocking request > >>> for domains, for which your DNS server is not > > authoritative, is > >>> safe to do. Use it also with a reasonable maxretry > > and short > >>> findtime so that at least a few NX answers can get back. > >>> > >>> > >>> bye Fabian > >>> > >>> > >> > > > ------------------------------------------------------------------------------ > > > > > >> Live Security Virtual Conference > >>> Exclusive live event will cover all the ways today's > > security and > >>> threat landscape has changed and how IT managers can > > respond. > >>> Discussions will include endpoint security, mobile security > >>> and > > the latest in > >>> malware threats. > > http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > >>> _______________________________________________ Fail2ban-users > >>> mailing list Fai...@li... > > <mailto:Fai...@li...> > >> <mailto:Fai...@li... > > <mailto:Fai...@li...>> > >>> <mailto:Fai...@li... > > <mailto:Fai...@li...> > >> <mailto:Fai...@li... > > <mailto:Fai...@li...>>> > >>> > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > >>> > >>> > >>> > >>> > >>> > >> > > > ------------------------------------------------------------------------------ > > > > > >> > >>> > >>> > >>> _______________________________________________ Fail2ban-users > >>> mailing list Fai...@li... > > <mailto:Fai...@li...> > >> <mailto:Fai...@li... > > <mailto:Fai...@li...>> > >>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > >>> > >> > >> > >> > >> > > > ------------------------------------------------------------------------------ > > > > > > > >> _______________________________________________ Fail2ban-users > >> mailing list Fai...@li... > > <mailto:Fai...@li...> > >> <mailto:Fai...@li... > > <mailto:Fai...@li...>> > >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > >> > >> > > > > > > > ------------------------------------------------------------------------------ > > > > > _______________________________________________ > > Fail2ban-users mailing list Fai...@li... > > <mailto:Fai...@li...> > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > > > > > > > > _______________________________________________ Fail2ban-users > > mailing list Fai...@li... > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.14 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJTPD+UAAoJEJPfMZ19VO/134IQAM6wXi8HvQJuh8iUo4OyrzVl > KtQpNAtddbs2clhS9wlcN4rDKMEaDY4RL8aSzxKVRWCJHRfNMBYiyGyaRMkd0bWs > Gm+znsp1JRVlhyhpY3TlHmT7YTdUz62qW1rCcBOFkVV5RGjMpCcK0EdfSqe/rETt > /dYBDt4S9NSNRGhLcVtBtV+3SspMEFSmUY1VfqPVtoU4tMfRjXCqfOHVM+FC9Wtj > 49x5NgIsBAbPg+agTQqTu+IzkDZePtMxipEatt5PruHCoFUmlcyBcvUXtLBBLOkM > VV4ObL2Mpx9/qvCSfV2d/brxaMbeOIcryeeLXkxgsBr0atLScYl9CHet8TTmPbgP > gnkuQ4OrOLIoXCSHWBtU9uVsRPM6JZeEqdV70EbF0eThzprS1W9XZlj+87YE/FX5 > DFJZkymrVM2hES0RJj5BrTeEq4AyEPmQdeWTI1M2FaZHvNL2WPlI0rNuZeUz5Fgs > yFsM7E+g8o+cgM/Z7SARkIkSthd14ybQIJ/VUAch7bth2IxUQXhXNZr0KruVjij6 > vetEgXywh8/utVubx51hQpUDq8uY0MDe46rNHDN5S0exrmFwNVfcvuRTH1rQDFhc > jYBAxuhY68hKLhfu6Q62RHz9BuAlHrzDUCJm2BPtl/wzOgnK+t977B3NRFuxy+W5 > JGf1GBtRdwwNyoLPkeQp > =JEMy > -----END PGP SIGNATURE----- > > > ------------------------------------------------------------------------------ > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > |