'[Fail2ban-users] shellinabox : how to best secure it w/ fail2ban?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fail2ban-users
Subject:    [Fail2ban-users] shellinabox : how to best secure it w/ fail2ban?
From:       David Purdy <david.c.purdy () gmail ! com>
Date:       2015-04-26 23:25:34
Message-ID: A7C6D982-4912-4B3A-A7E0-BC24C696CCC6 () gmail ! com
[Download RAW message or body]

I'm posting for advice as to the _best_ way to protect "Shellinabox" (SIAB) on a \
server.   I -have- found a solution, but I'm curious if anyone in the community has \
come up with a better solution.

While it might seem like it would be similar to protecting sshd, the fact that it \
runs through another port (externally 80, or better yet 443) and through a reverse \
proxy makes it nonstandard to log-parse.

The problem that I ran up against is that SIAB behind a reverse proxy  doesn't \
return/log the actual remote IP address; it miserably reports localhost or 127.0.0.1 \
- in a nutshell, the /var/log/auth.log will show an authentication failure, but the \
remote host can't be determined from this log.  This is a documented \
shortcoming/"feature"/bug, that has been nagging some of us users for years.

My way around it was to create 2 jails:

The first one (which doesn't do any jailing, just merging 2 logs) called SIAB-logger \
which triggers an action/search for appropriate matches showing authentication \
failures on 127.0.0.1, and then parses their TIMESTAMP.  Once this timestamp is \
pinned down, the action/script parses /var/log/lighttpd/access.log for specific \
strings that mark GET's pointed to the SIAB proxy server.  From the access.log the \
true remote host/IP is parsed, and then the HOST and TIMESTAMP are printed to a new \
log, say /var/log/SIABfailures.log.

The second jail SIAB does the actual jailing, just like any https jail would do.  It \
parses the /var/log/SIABfailures.log and bans the remote host accordingly, as you'd \
expect.


I reflected on the problem a good bit, but was unable to come up with a -single jail- \
solution, since a single log containing all relevant info doesn't exist w/o the first \
jail's logging work.  I thought about declaring both (auth.log and \
lighttpd/access.log)  logfiles in a single jail, but couldn't work out how to "AND" \
or intersect the matches of two filters simultaneously.   My background w/ regex, and \
the the like is limited.

Perhaps someone out there has already solved this problem in an more succinct way?

Thanks in advance,

Dave



------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic