Message: previous - next
Month: August 2016

Re: [trinity-users] fail2ban advice needed

From: Steven D'Aprano <steve@...>
Date: Sun, 28 Aug 2016 04:08:58 +1000
On Sat, Aug 27, 2016 at 10:46:31AM -0400, Gene Heskett wrote:
> Greetings all;
> Is there someone familiar with fail2ban here?

I'm not an expert, but I do run it myself.

> I just installed it and started it with the installation defaults, 
> which I do not know since the init script has no "dump" option.

Look at the default config file:

less /etc/fail2ban/fail2ban.conf

and the jail file:

less /etc/fail2ban/jail.conf

> However that bit of hungry guard dog only protects this machine, 
> leaving the other 4 or sometimes 5 on my local network still open.
> So specifically, is there a way to broadcast the rules it applies to 
> the other 4 or 5 machines, protecting them at the same time?

The way I would do that would be to install fail2ban on each machine, 
and then periodically rsync the relevant config files from one 
designated "master" copy to the other machines. You can probably set 
that up as a cron job.

Actually, that's not really how I would do it. How I really would do it 
would be to ensure that only one machine is directly exposed to the 
internet. Let's say I had four machines, "groucho", "harpo", "chico" and 
"zeppo". Plus, of course, my modem/router has a firewall. So I would 

(ASCII art best viewed in a fixed-width font, like Courier)

                 firewall (router/modem)
            |               |            |
          harpo           chico        zeppo

groucho, of course, also runs its own firewall, giving defence in depth: 
even if router firewall is compromised, the firewall on groucho gives 
some additional security. harpo, chico and zeppo don't have any firewall 
because they're all part of my trusted LAN. (You may not trust your LAN, 
in which case by all means put firewalls on everything.) Nothing can go 
directly from the internet to the inner LAN, so groucho is the only 
machine that needs to run fail2ban.

To SSH into chico, say, I would SSH into groucho, then SSH into chico. 
There's probably a clever way of doing that in a single step with ssh 
tunnelling, but that's beyond my level of expertise, so I just do it 
with two steps.

> Or possibly broadcast them to the router, which is running dd-wrt, and 
> which is considered one of the more bulletproof reflash's about. I may 
> be lucky, but since I do have a port forward to allow my web server, 
> there is a potential attack point.

Does your router have a writable storage area? Apart from its own 
configuration, of course?