fail2ban ??

Michael Torrie torriem at gmail.com
Fri Apr 12 09:25:29 MDT 2013


On 04/12/2013 12:34 AM, S. Dale Morrey wrote:
> Hello pluggers,
> 
> Still working with through issues with a system I'm building and was
> wondering if anyone has had experience with fail2ban.  Specifically I would
> like to rate limit failed SIP login attempts, but not necessarily ban
> them.  It seems like a lot of PBX in a box type solutions use fail2ban,
> with no really clear explanation of how or why it's being used.
> 
> Can anyone elaborate on this and whether or not this tool is the correct
> choice if all I want to do is rate limit failed attempts on SIP?  Also does
> this need iptables to function, or can it work standalone.

Not sure what you mean by "work standalone."  By definition firewalling
is done by the firewall system, which is iptables.  fail2ban inserts
iptables rules when it detects too many connections, and removes the
rule after a period of time when it expires.

iptables itself can also do rate-limiting of connections.  For example,
here're rules that rate-limits ssh attempts:

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent
--update --seconds 60 --hitcount 10 -j LOG --log-prefix "blocked ssh
after too many connection attempts in 60 seconds."

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent
--update --seconds 60 --hitcount 10 -j DROP

I'm not entirely sure if this solution is as good as fail2ban, but I've
used it for a while now on my public-facing server for ssh and DNS.


More information about the PLUG mailing list