IPCop Firewall / Feature Requests / #261 fail2ban support for RED

#261 fail2ban support for RED

Milestone: Next release

Status: closed

Owner: nobody

Labels: Interface Improvements (example) (100)

Priority: 5

Updated: 2013-07-23

Created: 2005-12-23

Creator: Mike Ely

Private: No

Hey,

fail2ban.sourceforge.net for details. I'm looking for
something that basically tells people trying to ssh
brute-force my ipcop box (or anything exposed to the
web from behind it) to take a flying leap. I use
fail2ban on my own webserver, and love it.

Thanks!

Discussion

Robert Kerr - 2005-12-23

Logged In: YES
user_id=317036

Sounds like a solution looking for a problem. By default
IPCop's sshd is not exposed on red... if you do enable
external access best practice would be to restrict it to
certain IPs and not leave it open for all. Even if you had
enabled external access with no restrictions, IPCop's sshd
runs on port 222 whereas all the brute force scripts look
for ssh on port 22. Have you ever seen a single attempt to
brute force ssh on IPCop?

The 'anything exposed to the web from behind it' idea might
be worthwhile, but I'm not sure how it would be implemented.
In order to block brute forces you need to know whether a
log in is succesful or failed, which only the server in
question can know. How would IPCop tell the difference
between brute force attempts and legitimate connections?

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Markus Hoffmann - 2005-12-24

Logged In: YES
user_id=1319917

I released fail2ban as an addon.

Download and Info here:

http://mh-lantech.css-hamburg.de/ipcop/download.php?view.133

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Markus Hoffmann - 2005-12-25

Logged In: YES
user_id=1319917

The reason i released fail2ban is that it is exactly what i
need for a guy with an internet cafe.

He uses ipcop as firewall and has the problem that some
people discovered the webinterface and tried to log in.

So he just whitelists his admin machine and is very lucky
with this solution.

fail2ban blocks an ip after you have entered the wrong
password three times (could be changed to wathever you want)
and i could not remember to have ever done this more then
twice (after second wrong try a normally look into my notices).

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Mike Ely - 2005-12-25

Logged In: YES
user_id=237853

Interesting, and thanks. Should help with some of the bad
actors out there.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

sebastian nielsen - 2006-05-10

Logged In: YES
user_id=722476

its better to requrie a wait time of approx. 20 seconds
efter each login attempt. This would mean one password try
for each 20 seconds.
OR specify a rate a normal human NEVER would be able to
reach. For example 70 passwords / minute. And then ban
the "offending" IP in 4 weeks. (4 weeks because many ISP
change the IP of dynamic customers after the end of month)

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Olaf Westrik - 2009-06-06

rkerr> Sounds like a solution looking for a problem

Exactly. Won't implement.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Olaf Westrik - 2009-06-06

status: open --> closed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Olaf Westrik - 2013-07-23

Group: Next Release (example) --> Next release
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.