Hello Denis,
This is a shot in the dark - I do not know what your users are connecting
to, or how they are authenticated.
However, in my experience, some dynamic I.P. addresses change rapidly
(changing in hours), while many persist for longer times (day, weeks, months).
If you can hook something like "sqlite" to your fail2ban configuration, you
might maintain a database of tuples (I.P. address + account name + the time
of the latest sighting) then consult that database for each connecting
address, and updating user details in the database after authentication.
Old entries might be purged daily. Note that some addresses might have more
than one account name (e.g. two people sharing a home).
This should help to remove the need for arithmetic mentioned by Roman, since
many valid account names and known addresses should already be held, and a
query for the I.P. address could suggest a known authentic account name.
Most authentic users should usually gain access rapidly, with a low system load.
First-time users, some authentic users, and bogus users wait a little, with a
higher system load.
There may be an enhancement if the database tuples also include verdict,
being one of {unknown | good | bad}, enabling caching of bad sources, and
faster decisions.
Hoping this helps,
Graham
It was a tough school. Instead of a vaulting horse in the gym they had a
vaulting unicorn.
On Fri, 19 Aug 2022, Roman Pikalo via Fail2ban-users wrote:
Date: Fri, 19 Aug 2022 10:25:00
From: Roman Pikalo via Fail2ban-users <[email protected]>
Reply-To: Roman Pikalo <[email protected]>
To: Denis <[email protected]>
Cc: [email protected]
Subject: Re: [Fail2ban-users] Skip banning if user has good requests
Hi Denis,
> So I'm in searching some like IP reputation.
That idea crossed my mind so many times. But then you would have to process all your
"findings" with your reputation score logic
and then let the fail2ban to know what to do: ban or whitelist. With every
request you will be recalculating the score of all
the IP that just sent a request. Under high load that might an issue.
Also, once implementing that kind of reputation scoring system might not be so
challenging as making sure it works as expected.
I think it will not that that much time for the attacker to figure out how to
make their way to good users list.
Have you tried looking (or adding if you can) in your logs something more
definitive and more specific to your application (eg.
http headers: filter by http_status/app_version/session_id etc)?
As in if you send a request without app_version header, or status is 444, or
session_id is missing then ban on first
appearance.
Bregs,
Roman
On Thu, Aug 18, 2022 at 8:00 PM Denis <[email protected]> wrote:
Hello.
Yes. Port knocking logic is too close I need.
Now I do virtual-whitelist jail with actionban = ACCEPT.
And failregex = good request.
So if user take good req it added to whitelist. And for next bantime will not
rejected.
But:
User in fact added in 2 ipsets (whitelist and ban jail).
My whitelist awfully big (cause there is every good user in it).
F2b log has a lot of "already banned" lines (cause user allowed with whitelist
but can send bad req).
So I'm in searching some like IP reputation.
IP req matched 2 times as fail, and 5 times as good. Summ is +3. Ok
IP req matched 10 times as fail and 0 as good. Summ -10. Ban.
чт, 18 авг. 2022 г., 19:23 Philip Clarke <[email protected]>:
Have you considered doing port knocking for your users? They point web
browser to a location, it registers the
request, that ip is given a pass for fail2ban or iptables. A simple
listening script would suffice, either
implementing an “Unban” if locked out or possibly some genius with
iptables could skip the whole thing and
code it in a one liner :)
On 18 Aug 2022, at 10:33, Denis <[email protected]> wrote:
Hello.
Unfortunately users has dynamic IPs and there are a lot of users. I can't
manually add every one.
On 16.08.2022 23:39, Roman Pikalo wrote:
One of options would be to use "ignoreip" in your jail configuration to
ignore certain IP-s or
even subnets. Of course that means that have that IP list.
-----
Roman
On Mon, Aug 15, 2022 at 11:04 AM Denis <[email protected]> wrote:
Hello.
I configured f2b for strict enough policy.
Some normal users can banned with false positive.
Is it possible to skip banning if user has good requests for findtime?
(not lines with ignoreregex but add IP's reputation)
Or decrease IP's bad count if it get good req? (goodregex?)
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
[--- snipped ---]
<a href="http://english-1329209197.spampoison.com";>Get free spam bait here.</a>
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
