From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1MXBHB-0004AI-HE for garchives@archives.gentoo.org; Sat, 01 Aug 2009 09:53:17 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 9D0A8E0462; Sat, 1 Aug 2009 09:53:16 +0000 (UTC) Received: from mail-bw0-f227.google.com (mail-bw0-f227.google.com [209.85.218.227]) by pigeon.gentoo.org (Postfix) with ESMTP id 5AA89E0462 for ; Sat, 1 Aug 2009 09:53:16 +0000 (UTC) Received: by bwz27 with SMTP id 27so1548602bwz.34 for ; Sat, 01 Aug 2009 02:53:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=LyqZxz9KBqx/Rf3ocSHL0DumiSsTi4OQMVq/nHMoDZk=; b=SM1rfV6YgmP8H3mkAyHOW8hS++UuDdVrHPrkpsPHplnhcw6ECZ/2NefJbdI5VKE+rK puHJYZq+E7JOXnphtsBykg63pAa6ROrbQsrobczlIpYvBXLaxbzRG9iGbKvf7ZSIIk+5 6NfZjVXPcDEPwx7CxCXF+xEWkE0yIbFycih5k= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=ZhvWVjWRtQxfOsc6F3hmvQ2j+EgJgX2REoAS3k9Ogy8swGvBojPH0K0TY0beEpmVxE OP9n32IMwx7DOgBB2w+P3g03T+SK+Ns1axN6GQ5UQ32undgVljzpXdlfeNn7rVbRee9m fp8rcQLyubNvexGm3ZTFxYjiGPBbLCc8ikiGY= Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-server@lists.gentoo.org Reply-to: gentoo-server@lists.gentoo.org MIME-Version: 1.0 Received: by 10.204.112.12 with SMTP id u12mr4240026bkp.159.1249120395494; Sat, 01 Aug 2009 02:53:15 -0700 (PDT) In-Reply-To: <4A7559A4.4090400@gmail.com> References: <10114659.21222086363221.JavaMail.gibbonsr@twix.insanity5902.no-ip.org> <4A7559A4.4090400@gmail.com> Date: Sat, 1 Aug 2009 10:53:15 +0100 Message-ID: <279fbba40908010253p11603234x627e90407f0eacf9@mail.gmail.com> Subject: Re: [gentoo-server] iptables && fail2ban From: Kerin Millar To: gentoo-server@lists.gentoo.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Archives-Salt: c51ea212-61c3-4e4d-980e-c77fba972258 X-Archives-Hash: 58a6661b70b8cd837c1c8b8fe15d80e9 2009/8/2 mrfroasty : > Hello, > > I have setup iptables and fail2ban, but I am curios that this line of > defense seem not to work and ban me if i do this: > #wget ftp://mysql:xxxx@fileserver > > I have seen a script kido, doing that and firewall just didnt respond to > him or atleast not on the logs that he had been banned when he tried that. > The firewall does ban or respond if I do this: > #wget ftp://foo:pass@fileserver > > Probably he could have been banned if used a different user, but not > mysql...I am confused...any clue? :-D You haven't provide any pertinent background information (ftp daemon in use, log message which is expected to trigger action, details of the fail2ban filter and so forth), which makes it rather difficult to take a view. My guess is that the particular filter you are using contains a regex which matches log messages from the daemon which convey only an invalid user, rather than an authentication failure in general. If so, you would need to adjust the filter - or add an additional one - so as to cover both cases. As a side note, do be careful when crafting the regular expressions that form the basis of the filter. The slightest mistake can potentially result in the tool being open to attack itself via log injection. For more information on this topic, search for "attacking-loganalysis.html" via Google and view the cached copy; the original article seems to have disappeared from the ossec.net site. Cheers, --Kerin