| 1 |
2009/8/2 mrfroasty <mrfroasty@×××××.com>: |
| 2 |
> Hello, |
| 3 |
> |
| 4 |
> I have setup iptables and fail2ban, but I am curios that this line of |
| 5 |
> defense seem not to work and ban me if i do this: |
| 6 |
> #wget ftp://mysql:xxxx@fileserver |
| 7 |
> |
| 8 |
> I have seen a script kido, doing that and firewall just didnt respond to |
| 9 |
> him or atleast not on the logs that he had been banned when he tried that. |
| 10 |
> The firewall does ban or respond if I do this: |
| 11 |
> #wget ftp://foo:pass@fileserver |
| 12 |
> |
| 13 |
> Probably he could have been banned if used a different user, but not |
| 14 |
> mysql...I am confused...any clue? :-D |
| 15 |
|
| 16 |
You haven't provide any pertinent background information (ftp daemon |
| 17 |
in use, log message which is expected to trigger action, details of |
| 18 |
the fail2ban filter and so forth), which makes it rather difficult to |
| 19 |
take a view. My guess is that the particular filter you are using |
| 20 |
contains a regex which matches log messages from the daemon which |
| 21 |
convey only an invalid user, rather than an authentication failure in |
| 22 |
general. If so, you would need to adjust the filter - or add an |
| 23 |
additional one - so as to cover both cases. |
| 24 |
|
| 25 |
As a side note, do be careful when crafting the regular expressions |
| 26 |
that form the basis of the filter. The slightest mistake can |
| 27 |
potentially result in the tool being open to attack itself via log |
| 28 |
injection. For more information on this topic, search for |
| 29 |
"attacking-loganalysis.html" via Google and view the cached copy; the |
| 30 |
original article seems to have disappeared from the ossec.net site. |
| 31 |
|
| 32 |
Cheers, |
| 33 |
|
| 34 |
--Kerin |
Archives