Posted on Thu 25 September 2014

fail2ban and the repeat offender

An IP address does not identify a person. It does not reliably identify a computer. It does identify an organization, but that’s rather nebulous.

But in the short term, when someone on the internet is poking at your systems and trying to get in – and that’s happening right now, to you, and to everyone else – the source IP address does represent something. Think of it as a temporary alias for a bad guy.

fail2ban – is a daemon that watches your logs for failed attempts to get in. Then it inserts firewall rules to block those IP addresses for a short period of time, usually minutes to days. It’s complex (bad) and depends on regexps, which are easy to screw up.

Now you have two problems from XKCD #1171

For certain situations, fail2ban is an approximation of the best that can be done. What situations? Well, if you have a network service that you want to offer to the public at large, or to specific people but you can’t nail down the IP addresses they will be coming from, and you also want to avoid letting Mallory guess your passwords by brute force.

You might also consider using fail2ban if you have a well-secured service like ssh with required key authentication, and you just want to make the automatic harassment attempts stop. (It would be nice if sshd came with an option to signal a client that only keys are allowed, but that would probably signal other things that would harm the net as a whole.)

In any case, fail2ban is short-term. What do you do for an IP address that comes and knocks on all your doors and windows persistently?

(If you’re me, you write an email to the organization that controls the IP address in question. Most ISPs will listen to complaints with log excerpts. Those that won’t, I stop telling them.)

There is a simple config for fail2ban that searches through your logs for repeat offenders and institutes a longer ban. You don’t want to replace your short-term bans with this, it’s a supplement.

I’m not sure a one year ban is a great idea, even for an IP address that gets banned 21 times, but a month to three months seems plausible.

There’s also mass IP banning, in which you decide that there’s nobody in Vietnam or Thailand or Austria or whatever who will legitimately access your service, so you whack everything coming from IPs registered to that country. It’s not a very friendly thing to do, but you might have justfications. Beware if you ever travel to those places, though – you will probably not remember that you blocked them until it’s too late to log in and carve an exception for yourself.

Tags: blog, tech

Previously: shellshock explanations

More recently: amateur IT

© -dsr-. Send feedback or comments via email — by continuing to use this site you agree to certain terms and conditions.

Built using Pelican. Derived from the svbhack theme by Giulio Fidente on github.