1 |
2009/8/2 mrfroasty <mrfroasty@×××××.com>: |
2 |
> Hello, |
3 |
> |
4 |
> I have setup iptables and fail2ban, but I am curios that this line of |
5 |
> defense seem not to work and ban me if i do this: |
6 |
> #wget ftp://mysql:xxxx@fileserver |
7 |
> |
8 |
> I have seen a script kido, doing that and firewall just didnt respond to |
9 |
> him or atleast not on the logs that he had been banned when he tried that. |
10 |
> The firewall does ban or respond if I do this: |
11 |
> #wget ftp://foo:pass@fileserver |
12 |
> |
13 |
> Probably he could have been banned if used a different user, but not |
14 |
> mysql...I am confused...any clue? :-D |
15 |
|
16 |
You haven't provide any pertinent background information (ftp daemon |
17 |
in use, log message which is expected to trigger action, details of |
18 |
the fail2ban filter and so forth), which makes it rather difficult to |
19 |
take a view. My guess is that the particular filter you are using |
20 |
contains a regex which matches log messages from the daemon which |
21 |
convey only an invalid user, rather than an authentication failure in |
22 |
general. If so, you would need to adjust the filter - or add an |
23 |
additional one - so as to cover both cases. |
24 |
|
25 |
As a side note, do be careful when crafting the regular expressions |
26 |
that form the basis of the filter. The slightest mistake can |
27 |
potentially result in the tool being open to attack itself via log |
28 |
injection. For more information on this topic, search for |
29 |
"attacking-loganalysis.html" via Google and view the cached copy; the |
30 |
original article seems to have disappeared from the ossec.net site. |
31 |
|
32 |
Cheers, |
33 |
|
34 |
--Kerin |