1 |
>>> Hi, my site is being ravaged by an IP but dropping the IP via |
2 |
>>> shorewall is seeming to have no effect. I'm using his IP from nginx |
3 |
>>> logs. IP blocking in shorewall has always worked before. What could |
4 |
>>> be happening? |
5 |
>> |
6 |
>> |
7 |
>> I'm blocking like this with the firewall running on the web server: |
8 |
>> |
9 |
>> /etc/shorewall/rules |
10 |
>> DROP net:1.2.3.4 $FW |
11 |
>> |
12 |
>> Could shorewall/iptables see a different IP address than the one seen by nginx? |
13 |
> |
14 |
> |
15 |
> Most likely the file is configured but the firewall service wasn't |
16 |
> restarted or the rules no loaded. |
17 |
|
18 |
|
19 |
I restarted shorewall plenty. :) I believe the issue was either a |
20 |
persistent connection which conntrack-tools would have allowed me to |
21 |
flush, or my blocking in /etc/shorewall/rules instead of |
22 |
/etc/shorewall/blrules, or both. |
23 |
|
24 |
|
25 |
> But as Jeremi pointed out. failsban is a far superior tool for this. |
26 |
> Ossec with it's active response is also good. |
27 |
> There are quite a few more tools in this space, and they all work much |
28 |
> the same way - scan logs looking for dodgy stuff going on the |
29 |
> dynamically apply a packet filter rule. The software also does it all |
30 |
> day every day, and that's a record you the human cannot hope to match :-) |
31 |
|
32 |
|
33 |
I'm happy to say fail2ban is running now: |
34 |
|
35 |
# fail2ban-client status |
36 |
Status |
37 |
|- Number of jail: 10 |
38 |
`- Jail list: nginx-botsearch, nginx-http-auth, nginx-limit-req, |
39 |
pam-generic, php-url-fopen, postfix, postfix-rbl, postfix-sasl, sshd, |
40 |
sshd-ddos |
41 |
|
42 |
I should probably play with the config a bit. I'm pretty much using |
43 |
defaults. For example I think the sshd hackers make their attempts |
44 |
really slowly but it would be nice to ban them anyway: |
45 |
|
46 |
# fail2ban-client status sshd |
47 |
Status for the jail: sshd |
48 |
|- Filter |
49 |
| |- Currently failed: 2 |
50 |
| |- Total failed: 58 |
51 |
| `- File list: /var/log/sshd/current |
52 |
`- Actions |
53 |
|- Currently banned: 0 |
54 |
|- Total banned: 3 |
55 |
`- Banned IP list: |
56 |
|
57 |
Also I wish fail2ban-client would display a tally of all fails and |
58 |
bans with a single command. |
59 |
|
60 |
- Grant |