On Saturday 27 August 2016 18:53:09 deloptes wrote:

> Gene Heskett wrote:
> > On Saturday 27 August 2016 14:08:58 Steven D'Aprano wrote:
> >> On Sat, Aug 27, 2016 at 10:46:31AM -0400, Gene Heskett wrote:
> >> > Greetings all;
> >> >
> >> > Is there someone familiar with fail2ban here?
> >>
> >> I'm not an expert, but I do run it myself.
> >>
> >> > I just installed it and started it with the installation
> >> > defaults, which I do not know since the init script has no "dump"
> >> > option.
> >>
> >> Look at the default config file:
> >>
> >> less /etc/fail2ban/fail2ban.conf
> >>
> >> and the jail file:
> >>
> >> less /etc/fail2ban/jail.conf
> >>
> >> > However that bit of hungry guard dog only protects this machine,
> >> > leaving the other 4 or sometimes 5 on my local network still
> >> > open.
> >> >
> >> > So specifically, is there a way to broadcast the rules it applies
> >> > to the other 4 or 5 machines, protecting them at the same time?
> >>
> >> The way I would do that would be to install fail2ban on each
> >> machine, and then periodically rsync the relevant config files from
> >> one designated "master" copy to the other machines. You can
> >> probably set that up as a cron job.
> >>
> >> Actually, that's not really how I would do it. How I really would
> >> do it would be to ensure that only one machine is directly exposed
> >> to the internet. Let's say I had four machines, "groucho", "harpo",
> >> "chico" and "zeppo". Plus, of course, my modem/router has a
> >> firewall. So I would have:
> >>
> >> (ASCII art best viewed in a fixed-width font, like Courier)
> >>
> >>                  internet
> >>
> >>
> >>                  firewall (router/modem)
> >>
> >>
> >>                  groucho
> >>
> >>             +-------+-------+------------+
> >>
> >>           harpo           chico        zeppo
> >
> > In my lashup, although groucho has two ethernet ports, groucho is on
> > an 8 port switch in parallel with harpo, chico, and zeppo.  The
> > switches upstream port goes to the router. So all machines have
> > instant access to the net with the router keeping track of who
> > originated the net traffic request. ssh -Y using keyfile access
> > control is transparent from this machine to the others.  As is an
> > sshfs mount to /home/me on all the other machines.  Root access by
> > ssh is denied.  Where there is more than one machine in a
> > building/room, an additional hub tee's things off.
> >
> >> groucho, of course, also runs its own firewall, giving defence in
> >> depth: even if router firewall is compromised, the firewall on
> >> groucho gives some additional security. harpo, chico and zeppo
> >> don't have any firewall because they're all part of my trusted LAN.
> >> (You may not trust your LAN, in which case by all means put
> >> firewalls on everything.) Nothing can go directly from the internet
> >> to the inner LAN, so groucho is the only machine that needs to run
> >> fail2ban.
> >>
> >> To SSH into chico, say, I would SSH into groucho, then SSH into
> >> chico. There's probably a clever way of doing that in a single step
> >> with ssh tunnelling, but that's beyond my level of expertise, so I
> >> just do it with two steps.
> >>
> >> > Or possibly broadcast them to the router, which is running
> >> > dd-wrt, and which is considered one of the more bulletproof
> >> > reflash's about. I may be lucky, but since I do have a port
> >> > forward to allow my web server, there is a potential attack
> >> > point.
> >>
> >> Does your router have a writable storage area? Apart from its own
> >> configuration, of course?
> >
> > Yes, one can add to its rules, but access is a cast iron b---h.
> >
> > Cheers, Gene Heskett
>
> Gene,
> the concept is
>
> internet <-> router/modem <-> firewall <-> switch <-> local
> network/intranet
>
> you can access the machines in your lan directly without going through
> whatever.
>
> I actually purchased a low power fanless network pc (3 network ports)
> 10y ago and it is being used as firewall since then. Later some nice
> OpenWRT routers came out, so this is also doable for ~30$
>
> regards
>
>
dd-wrt may have additional bells and whistles.  It seems to need a $70 
router to have the resources to do port forwarding, customized iptables 
rules and such.  However, it has worked so well for me that I have not 
had the urge to try some of the $30 routers.  Competition generally 
leads to a better, cheaper product.

The new user would be wise to survey what is available, and for how much.
But first learn the lingo well enough to determine if you need feature 
such and such.  dd-wrt is the only one I trust to not have a back door 
in it.  Someone else will have to attest for openwrt, and tomato as I 
have exactly zero experience with them. 
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> trinity-users-unsubscribe@... For additional
> commands, e-mail: trinity-users-help@... Read
> list messages on the web archive:
> http://trinity-users.pearsoncomputing.net/ Please remember not to
> top-post:
> http://trinity.pearsoncomputing.net/mailing_lists/#top-posting


Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>