[prev in list] [next in list] [prev in thread] [next in thread]
List: fail2ban-users
Subject: [Fail2ban-users] Jail and filter for sslyze scans
From: "Ken Johnson" <kjohnson () eclypse ! org>
Date: 2015-04-29 21:34:30
Message-ID: 802FEB111501430F8B3AF5588707FB0B () LENOVO9D1B1498
[Download RAW message or body]
Scanning for a research project by sba-research.org had negative impact on
our server recently, twice. From our point of view, it looked like a
Denial-of-Service attack. One of their senior researchers told me they use
a tool call sslyze. While I have added their IP address
(scan.sba-research.org) to the drop list on the server and on our edge
router, that will not stop others using the same tool, nor sba-research if
they perform IP renumbering. Hence, this jail and filter, which might be
useful if you use uw-imap. Obviously you could adapt this for other
POP/IMAP servers.
As always, your mileage may differ. Read and consider carefully all label
instructions.
Regards,
Ken
########################################
Jail
########################################
##
## modified from uw-imap jail
## implemented after sslyze scans from sba-research.org
## caused problems for us. Note the largish maxretry
## and short findtime -- sba-research sent 100's of
## connection attempts in 10 seconds.
##
[sslyze]
enabled = true
port = pop3,pop3s,imap,imaps
filter = sslyze
banaction = iptables-multiport[name=UW-IMAP, port="pop3,pop3s,imap,imaps",
protocol=tcp]
logpath = /var/log/mail.log
maxretry = 20
findtime = 10
bantime = 36000
#########################################
Filter
#########################################
## Lifted from https://github.com/fail2ban/fail2ban/issues/18,
## Modified to protect against 'research' with sslyze.
## Tested by KLJ with fail2ban-regex against local log files
## fail2ban-regex sslyze.log sslyze.conf
##
# Fail2Ban configuration file
#
# Props: Amir Caspi
#
# $Revision: 1 $
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = /etc/fail2ban/filter.d/common.conf
[Definition]
_daemon = (?:ipop3d|imapd)
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>"
can
# be used for standard IP/hostname matching and is only an alias
for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = ^%(__prefix_line)sAutologout user=\?\?\? host=.*\[<HOST>\]\s*$
^%(__prefix_line)sLogout user=\?\?\? host=.*\[<HOST>\]\s*$
^%(__prefix_line)sMissing command before authentication
host=.*\[<HOST>\]\s*$
^%(__prefix_line)sNull command before authentication
host=.*\[<HOST>\]\s*$
^%(__prefix_line)s(imaps|pop3s) SSL service init from <HOST>\s*$
^%(__prefix_line)sUnable to accept SSL connection,
host=.*\[<HOST>\]\s*$
^%(__prefix_line)sUnexpected client disconnect, while reading
line user=\?\?\? host=.*\[<HOST>\]\s*$
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic