On Nov 18, 2012, at 2:00 PM, David Guntner wrote:
> That's not what I want - I need a way to have it CLOSE the connection
> after {x} number of bad attempts (three is usually a good number). In
> other words (for example), you put in a bad username/password three
> times, and it closes the connection and logs it.
>
> Assuming I could get a meaningful log entry with each bad attempt, I
> could have fail2ban act - but that's still pretty useless since as far
> as I understand it; telling iptables to DROP a given IP address doesn't
> do anything to a connection that's already open. Someone please feel
> free to correct me if my understanding on that is not correct. :-)
I use Linux and IPtables and fail2ban, and the way it seems to work here is:
There's an IPtables rule that checks for and accepts established connection
packets, but fail2ban inserts its block chain in front of that, at the very top
of the Input chain. So a packet from a wayward IP is blocked/dropped if
fail2ban doesn't like it, before the fact that this is an established
connection is discovered. So if you had f2b watching for bad logins, I think
you'd get exactly what you want, assuming you could get meaningful log entries.
(I wrote my IPtables packet filter, though, so others are almost certainly
different.)
OTOH, some of the bad attempts I get don't log the remote IP, so they aren't
meaningful to f2b and don't get blocked...
--
Glenn English
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
Archive:
http://lists.debian.org/[email protected]
