| 1 |
>>> Hi, my site is being ravaged by an IP but dropping the IP via |
| 2 |
>>> shorewall is seeming to have no effect. I'm using his IP from nginx |
| 3 |
>>> logs. IP blocking in shorewall has always worked before. What could |
| 4 |
>>> be happening? |
| 5 |
>> |
| 6 |
>> |
| 7 |
>> I'm blocking like this with the firewall running on the web server: |
| 8 |
>> |
| 9 |
>> /etc/shorewall/rules |
| 10 |
>> DROP net:1.2.3.4 $FW |
| 11 |
>> |
| 12 |
>> Could shorewall/iptables see a different IP address than the one seen by nginx? |
| 13 |
> |
| 14 |
> |
| 15 |
> Most likely the file is configured but the firewall service wasn't |
| 16 |
> restarted or the rules no loaded. |
| 17 |
|
| 18 |
|
| 19 |
I restarted shorewall plenty. :) I believe the issue was either a |
| 20 |
persistent connection which conntrack-tools would have allowed me to |
| 21 |
flush, or my blocking in /etc/shorewall/rules instead of |
| 22 |
/etc/shorewall/blrules, or both. |
| 23 |
|
| 24 |
|
| 25 |
> But as Jeremi pointed out. failsban is a far superior tool for this. |
| 26 |
> Ossec with it's active response is also good. |
| 27 |
> There are quite a few more tools in this space, and they all work much |
| 28 |
> the same way - scan logs looking for dodgy stuff going on the |
| 29 |
> dynamically apply a packet filter rule. The software also does it all |
| 30 |
> day every day, and that's a record you the human cannot hope to match :-) |
| 31 |
|
| 32 |
|
| 33 |
I'm happy to say fail2ban is running now: |
| 34 |
|
| 35 |
# fail2ban-client status |
| 36 |
Status |
| 37 |
|- Number of jail: 10 |
| 38 |
`- Jail list: nginx-botsearch, nginx-http-auth, nginx-limit-req, |
| 39 |
pam-generic, php-url-fopen, postfix, postfix-rbl, postfix-sasl, sshd, |
| 40 |
sshd-ddos |
| 41 |
|
| 42 |
I should probably play with the config a bit. I'm pretty much using |
| 43 |
defaults. For example I think the sshd hackers make their attempts |
| 44 |
really slowly but it would be nice to ban them anyway: |
| 45 |
|
| 46 |
# fail2ban-client status sshd |
| 47 |
Status for the jail: sshd |
| 48 |
|- Filter |
| 49 |
| |- Currently failed: 2 |
| 50 |
| |- Total failed: 58 |
| 51 |
| `- File list: /var/log/sshd/current |
| 52 |
`- Actions |
| 53 |
|- Currently banned: 0 |
| 54 |
|- Total banned: 3 |
| 55 |
`- Banned IP list: |
| 56 |
|
| 57 |
Also I wish fail2ban-client would display a tally of all fails and |
| 58 |
bans with a single command. |
| 59 |
|
| 60 |
- Grant |
Archives