On Saturday 27 August 2016 14:08:58 Steven
D'Aprano wrote:
On Sat, Aug 27, 2016 at 10:46:31AM -0400, Gene
Heskett wrote:
Greetings all;
Is there someone familiar with fail2ban here?
I'm not an expert, but I do run it myself.
I just installed it and started it with the
installation defaults,
which I do not know since the init script has no "dump" option.
Look at the default config file:
less /etc/fail2ban/fail2ban.conf
and the jail file:
less /etc/fail2ban/jail.conf
However that bit of hungry guard dog only
protects this machine,
leaving the other 4 or sometimes 5 on my local network still open.
So specifically, is there a way to broadcast the rules it applies to
the other 4 or 5 machines, protecting them at the same time?
The way I would do that would be to install fail2ban on each machine,
and then periodically rsync the relevant config files from one
designated "master" copy to the other machines. You can probably set
that up as a cron job.
Actually, that's not really how I would do it. How I really would do
it would be to ensure that only one machine is directly exposed to the
internet. Let's say I had four machines, "groucho", "harpo",
"chico"
and "zeppo". Plus, of course, my modem/router has a firewall. So I
would have:
(ASCII art best viewed in a fixed-width font, like Courier)
internet
firewall (router/modem)
groucho
+-------+-------+------------+
harpo chico zeppo
In my lashup, although groucho has two ethernet ports, groucho is on an 8
port switch in parallel with harpo, chico, and zeppo. The switches
upstream port goes to the router. So all machines have instant access to
the net with the router keeping track of who originated the net traffic
request. ssh -Y using keyfile access control is transparent from this
machine to the others. As is an sshfs mount to /home/me on all the
other machines. Root access by ssh is denied. Where there is more than
one machine in a building/room, an additional hub tee's things off.
groucho, of course, also runs its own firewall, giving defence in
depth: even if router firewall is compromised, the firewall on groucho
gives some additional security. harpo, chico and zeppo don't have any
firewall because they're all part of my trusted LAN. (You may not
trust your LAN, in which case by all means put firewalls on
everything.) Nothing can go directly from the internet to the inner
LAN, so groucho is the only machine that needs to run fail2ban.
To SSH into chico, say, I would SSH into groucho, then SSH into chico.
There's probably a clever way of doing that in a single step with ssh
tunnelling, but that's beyond my level of expertise, so I just do it
with two steps.
Or possibly broadcast them to the router, which
is running dd-wrt,
and which is considered one of the more bulletproof reflash's about.
I may be lucky, but since I do have a port forward to allow my web
server, there is a potential attack point.
Does your router have a writable storage area? Apart from its own
configuration, of course?
Yes, one can add to its rules, but access is a cast iron b---h.
Cheers, Gene Heskett
Gene,
the concept is
internet <-> router/modem <-> firewall <-> switch <-> local
network/intranet
you can access the machines in your lan directly without going through
whatever.
I actually purchased a low power fanless network pc (3 network ports) 10y
ago and it is being used as firewall since then. Later some nice OpenWRT
routers came out, so this is also doable for ~30$
regards