Jim's Depository

this code is not yet written		 help
Using fail2ban on virtual servers. linux By jim, 6 months ago
I have a server which contains a bunch of virtual machines. These machines are continually harassed by script kiddies. I use Fail2ban to keep the trolling to a minimum. 
  • Each virtual machine sends its syslog activity to the physical server, using something like this in its syslog.conf...  *.* @some.host.com
  • The physical server saves all the syslog activity from the virtual machines, safe from tampering. (/etc/defaults/syslogd needs a -r)
  • fail2ban runs on the physical server and drops bans into the FORWARD chain to protect the inner machines.
  • The syslog port needs to be protected to only take traffic from trusted machines.  This ought to block anything from the machine's two physical ethernets but let through the virtual ones...
    /sbin/iptables -I INPUT -p udp --dport 514 -m physdev --physdev-in eth0 -j REJECT /sbin/iptables -I INPUT -p udp --dport 514 -m physdev --physdev-in eth1 -j REJECT
Things that needed changing...

/etc/fail2ban/actions.d/iptables.conf... the actionstart and actionstop need to also put the chains into the FORWARD rule....

# Option:  fwstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = iptables -N fail2ban-<name>
              iptables -A fail2ban-<name> -j RETURN
              iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name>
              iptables -I FORWARD -p <protocol> --dport <port> -j fail2ban-<name>

# Option:  fwend
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name>
             iptables -D FORWARD -p <protocol> --dport <port> -j fail2ban-<name>
             iptables -F fail2ban-<name>
             iptables -X fail2ban-<name>


comment
comment by jim, 6 months ago
Interesting observation when using a single fail2ban on multiple machines. It catches horizontal sweeps much sooner. Today I noticed it catch someone that was making one try at root on each of my machines. The merged auth.log files tripped my 10 hour ban after one attempt on each of three machines.
The femtoblogger software is being written by Jim Studt. The content of this page is provided by anonymous individuals. If you believe something on this page is innapropriate contact Jim Studt.

Contribute

login
logout
post
create account (12 seconds)
recent comments

Filter

everything
coding
femtoblogger
language
linux

Search

Browsers

googlebot27.4%
yahoobot16.9%
IE 616.7%
Firefox10.9%
msnbot10.3%
Safari7.5%
hiding5.1%
IE 74.4%
Opera0.5%
Chrome0.1%
jeevesbot0.1%
iPhone0.0%
Konqueror0.0%
unknown0.0%

Archives

2008November2
October5
September1
August1
July2
June3
May3
April4
February1
January4
2007December1
November3
October8
September18