From: Kerin Millar <kerframil@gmail.com>
To: gentoo-server@lists.gentoo.org
Subject: Re: [gentoo-server] iptables && fail2ban
Date: Sat, 1 Aug 2009 10:53:15 +0100 [thread overview]
Message-ID: <279fbba40908010253p11603234x627e90407f0eacf9@mail.gmail.com> (raw)
In-Reply-To: <4A7559A4.4090400@gmail.com>
2009/8/2 mrfroasty <mrfroasty@gmail.com>:
> Hello,
>
> I have setup iptables and fail2ban, but I am curios that this line of
> defense seem not to work and ban me if i do this:
> #wget ftp://mysql:xxxx@fileserver
>
> I have seen a script kido, doing that and firewall just didnt respond to
> him or atleast not on the logs that he had been banned when he tried that.
> The firewall does ban or respond if I do this:
> #wget ftp://foo:pass@fileserver
>
> Probably he could have been banned if used a different user, but not
> mysql...I am confused...any clue? :-D
You haven't provide any pertinent background information (ftp daemon
in use, log message which is expected to trigger action, details of
the fail2ban filter and so forth), which makes it rather difficult to
take a view. My guess is that the particular filter you are using
contains a regex which matches log messages from the daemon which
convey only an invalid user, rather than an authentication failure in
general. If so, you would need to adjust the filter - or add an
additional one - so as to cover both cases.
As a side note, do be careful when crafting the regular expressions
that form the basis of the filter. The slightest mistake can
potentially result in the tool being open to attack itself via log
injection. For more information on this topic, search for
"attacking-loganalysis.html" via Google and view the cached copy; the
original article seems to have disappeared from the ossec.net site.
Cheers,
--Kerin
next prev parent reply other threads:[~2009-08-01 9:53 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-09-22 12:16 [gentoo-server] Iptables Changes Ajai Khattri
2008-09-22 12:28 ` Ryan Gibbons
2008-09-22 12:43 ` Ajai Khattri
2008-09-22 13:56 ` Kerin Millar
2008-09-22 15:21 ` Mark
2008-09-22 15:25 ` Andrew Gaffney
2008-09-22 17:53 ` Thilo Bangert
2008-09-23 12:21 ` Jozef [jonyii] Svec
2008-09-23 19:25 ` [gentoo-server] SPAM protection by requesting confirmation Alex Efros
2008-09-23 21:45 ` Ramon van Alteren
2008-09-24 0:13 ` Lindsay Haisley
2008-09-24 15:40 ` Matthias Bethke
2008-09-28 13:21 ` Alex Efros
2008-09-28 13:26 ` Alex Efros
2008-09-28 19:41 ` Homer Parker
2008-09-28 20:02 ` Alex Efros
2008-09-28 21:07 ` Homer Parker
2008-09-28 21:49 ` Alex Efros
2008-09-24 3:14 ` Homer Parker
2008-09-24 8:51 ` Oliver Schad
2008-09-24 15:58 ` Lindsay Haisley
2008-09-24 10:02 ` Thilo Bangert
2008-09-22 16:24 ` [gentoo-server] Iptables Changes Kerin Millar
2008-09-22 16:31 ` Marko Reiner
2008-09-22 16:43 ` Mark
2008-09-22 17:36 ` Roger Bumgarner
2008-09-24 23:05 ` Ajai Khattri
2009-08-02 9:17 ` [gentoo-server] iptables && fail2ban mrfroasty
2009-08-01 9:53 ` Kerin Millar [this message]
2009-08-02 11:24 ` mrfroasty
2009-08-01 18:06 ` Homer Parker
2009-08-03 21:42 ` mrfroasty
2009-08-08 14:40 ` Ajai Khattri
2009-08-08 20:20 ` mrfroasty
2009-08-08 23:07 ` paul kölle
2009-09-14 19:17 ` Arturo 'Buanzo' Busleiman
2009-09-15 7:27 ` Paul Kölle
2009-08-08 20:36 ` mrfroasty
2009-08-08 1:07 ` Steve Dommett
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=279fbba40908010253p11603234x627e90407f0eacf9@mail.gmail.com \
--to=kerframil@gmail.com \
--cc=gentoo-server@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox