27 Aug
2016
27 Aug
'16
2:46 p.m.
Greetings all;
Is there someone familiar with fail2ban here?
I just installed it and started it with the installation defaults, which I do not know
since the init script has no "dump" option.
However that bit of hungry guard dog only protects this machine, leaving the other 4 or
sometimes 5 on my local network still open.
So specifically, is there a way to broadcast the rules it applies to the other 4 or 5
machines, protecting them at the same time?
Or possibly broadcast them to the router, which is running dd-wrt, and which is considered
one of the more bulletproof reflash's about. I may be lucky, but since I do have a
port forward to allow my web server, there is a potential attack point.
Advice to a fail2ban new bee?
Thank you.
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>
27 Aug
27 Aug
6:08 p.m.
New subject: [trinity-users] fail2ban advice needed
On Sat, Aug 27, 2016 at 10:46:31AM -0400, Gene Heskett wrote:
Greetings all;
Is there someone familiar with fail2ban here?
I'm not an expert, but I do run it myself.
I just installed it and started it with the
installation defaults,
which I do not know since the init script has no "dump" option.
Look at the default config file:
less /etc/fail2ban/fail2ban.conf
and the jail file:
less /etc/fail2ban/jail.conf
However that bit of hungry guard dog only protects
this machine,
leaving the other 4 or sometimes 5 on my local network still open.
So specifically, is there a way to broadcast the rules it applies to
the other 4 or 5 machines, protecting them at the same time?
The way I would do that would be to install fail2ban on each machine,
and then periodically rsync the relevant config files from one
designated "master" copy to the other machines. You can probably set
that up as a cron job.
Actually, that's not really how I would do it. How I really would do it
would be to ensure that only one machine is directly exposed to the
internet. Let's say I had four machines, "groucho", "harpo",
"chico" and
"zeppo". Plus, of course, my modem/router has a firewall. So I would
have:
(ASCII art best viewed in a fixed-width font, like Courier)
internet
|
|
firewall (router/modem)
|
|
groucho
|
+-------+-------+------------+
| | |
harpo chico zeppo
groucho, of course, also runs its own firewall, giving defence in depth:
even if router firewall is compromised, the firewall on groucho gives
some additional security. harpo, chico and zeppo don't have any firewall
because they're all part of my trusted LAN. (You may not trust your LAN,
in which case by all means put firewalls on everything.) Nothing can go
directly from the internet to the inner LAN, so groucho is the only
machine that needs to run fail2ban.
To SSH into chico, say, I would SSH into groucho, then SSH into chico.
There's probably a clever way of doing that in a single step with ssh
tunnelling, but that's beyond my level of expertise, so I just do it
with two steps.
Or possibly broadcast them to the router, which is
running dd-wrt, and
which is considered one of the more bulletproof reflash's about. I may
be lucky, but since I do have a port forward to allow my web server,
there is a potential attack point.
Does your router have a writable storage area? Apart from its own
configuration, of course?
--
Steve
6:29 p.m.
New subject: [trinity-users] fail2ban advice needed
On Saturday 27 August 2016 14:08:58 Steven D'Aprano wrote:
On Sat, Aug 27, 2016 at 10:46:31AM -0400, Gene Heskett
wrote:
In my lashup, although groucho has two ethernet ports, groucho is on an 8
port switch in parallel with harpo, chico, and zeppo. The switches
upstream port goes to the router. So all machines have instant access to
the net with the router keeping track of who originated the net traffic
request. ssh -Y using keyfile access control is transparent from this
machine to the others. As is an sshfs mount to /home/me on all the
other machines. Root access by ssh is denied. Where there is more than
one machine in a building/room, an additional hub tee's things off.
Greetings all;
Is there someone familiar with fail2ban here?
I'm not an expert, but I do run it myself.
I just installed it and started it with the
installation defaults,
which I do not know since the init script has no "dump" option.
Look at the default config file:
less /etc/fail2ban/fail2ban.conf
and the jail file:
less /etc/fail2ban/jail.conf
However that bit of hungry guard dog only
protects this machine,
leaving the other 4 or sometimes 5 on my local network still open.
So specifically, is there a way to broadcast the rules it applies to
the other 4 or 5 machines, protecting them at the same time?
The way I would do that would be to install fail2ban on each machine,
and then periodically rsync the relevant config files from one
designated "master" copy to the other machines. You can probably set
that up as a cron job.
Actually, that's not really how I would do it. How I really would do
it would be to ensure that only one machine is directly exposed to the
internet. Let's say I had four machines, "groucho", "harpo",
"chico"
and "zeppo". Plus, of course, my modem/router has a firewall. So I
would have:
(ASCII art best viewed in a fixed-width font, like Courier)
internet
firewall (router/modem)
groucho
+-------+-------+------------+
harpo chico zeppo
groucho, of course, also runs its own firewall, giving defence in
depth: even if router firewall is compromised, the firewall on groucho
gives some additional security. harpo, chico and zeppo don't have any
firewall because they're all part of my trusted LAN. (You may not
trust your LAN, in which case by all means put firewalls on
everything.) Nothing can go directly from the internet to the inner
LAN, so groucho is the only machine that needs to run fail2ban.
To SSH into chico, say, I would SSH into groucho, then SSH into chico.
There's probably a clever way of doing that in a single step with ssh
tunnelling, but that's beyond my level of expertise, so I just do it
with two steps.
Yes, one can add to its rules, but access is a cast iron b---h.
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>
Or possibly broadcast them to the router, which
is running dd-wrt,
and which is considered one of the more bulletproof reflash's about.
I may be lucky, but since I do have a port forward to allow my web
server, there is a potential attack point.
Does your router have a writable storage area? Apart from its own
configuration, of course? 
10:53 p.m.
Gene Heskett wrote:
On Saturday 27 August 2016 14:08:58 Steven
D'Aprano wrote:
Gene,
the concept is
internet <-> router/modem <-> firewall <-> switch <-> local
network/intranet
you can access the machines in your lan directly without going through
whatever.
I actually purchased a low power fanless network pc (3 network ports) 10y
ago and it is being used as firewall since then. Later some nice OpenWRT
routers came out, so this is also doable for ~30$
regards
On Sat, Aug 27, 2016 at 10:46:31AM -0400, Gene
Heskett wrote:
In my lashup, although groucho has two ethernet ports, groucho is on an 8
port switch in parallel with harpo, chico, and zeppo. The switches
upstream port goes to the router. So all machines have instant access to
the net with the router keeping track of who originated the net traffic
request. ssh -Y using keyfile access control is transparent from this
machine to the others. As is an sshfs mount to /home/me on all the
other machines. Root access by ssh is denied. Where there is more than
one machine in a building/room, an additional hub tee's things off.
Greetings all;
Is there someone familiar with fail2ban here?
I'm not an expert, but I do run it myself.
I just installed it and started it with the
installation defaults,
which I do not know since the init script has no "dump" option.
Look at the default config file:
less /etc/fail2ban/fail2ban.conf
and the jail file:
less /etc/fail2ban/jail.conf
However that bit of hungry guard dog only
protects this machine,
leaving the other 4 or sometimes 5 on my local network still open.
So specifically, is there a way to broadcast the rules it applies to
the other 4 or 5 machines, protecting them at the same time?
The way I would do that would be to install fail2ban on each machine,
and then periodically rsync the relevant config files from one
designated "master" copy to the other machines. You can probably set
that up as a cron job.
Actually, that's not really how I would do it. How I really would do
it would be to ensure that only one machine is directly exposed to the
internet. Let's say I had four machines, "groucho", "harpo",
"chico"
and "zeppo". Plus, of course, my modem/router has a firewall. So I
would have:
(ASCII art best viewed in a fixed-width font, like Courier)
internet
firewall (router/modem)
groucho
+-------+-------+------------+
harpo chico zeppo
groucho, of course, also runs its own firewall, giving defence in
depth: even if router firewall is compromised, the firewall on groucho
gives some additional security. harpo, chico and zeppo don't have any
firewall because they're all part of my trusted LAN. (You may not
trust your LAN, in which case by all means put firewalls on
everything.) Nothing can go directly from the internet to the inner
LAN, so groucho is the only machine that needs to run fail2ban.
To SSH into chico, say, I would SSH into groucho, then SSH into chico.
There's probably a clever way of doing that in a single step with ssh
tunnelling, but that's beyond my level of expertise, so I just do it
with two steps.
Yes, one can add to its rules, but access is a cast iron b---h.
Cheers, Gene Heskett Or possibly broadcast them to the router, which
is running dd-wrt,
and which is considered one of the more bulletproof reflash's about.
I may be lucky, but since I do have a port forward to allow my web
server, there is a potential attack point.
Does your router have a writable storage area? Apart from its own
configuration, of course?
11:17 p.m.
New subject: [trinity-users] Re: fail2ban advice needed
On Saturday 27 August 2016 18:53:09 deloptes wrote:
Gene Heskett wrote:
dd-wrt may have additional bells and whistles. It seems to need a $70
router to have the resources to do port forwarding, customized iptables
rules and such. However, it has worked so well for me that I have not
had the urge to try some of the $30 routers. Competition generally
leads to a better, cheaper product.
The new user would be wise to survey what is available, and for how much.
But first learn the lingo well enough to determine if you need feature
such and such. dd-wrt is the only one I trust to not have a back door
in it. Someone else will have to attest for openwrt, and tomato as I
have exactly zero experience with them.
On Saturday 27 August 2016 14:08:58 Steven
D'Aprano wrote:
Gene,
the concept is
internet <-> router/modem <-> firewall <-> switch <-> local
network/intranet
you can access the machines in your lan directly without going through
whatever.
I actually purchased a low power fanless network pc (3 network ports)
10y ago and it is being used as firewall since then. Later some nice
OpenWRT routers came out, so this is also doable for ~30$
regards
On Sat, Aug 27, 2016 at 10:46:31AM -0400, Gene
Heskett wrote:
In my lashup, although groucho has two ethernet ports, groucho is on
an 8 port switch in parallel with harpo, chico, and zeppo. The
switches upstream port goes to the router. So all machines have
instant access to the net with the router keeping track of who
originated the net traffic request. ssh -Y using keyfile access
control is transparent from this machine to the others. As is an
sshfs mount to /home/me on all the other machines. Root access by
ssh is denied. Where there is more than one machine in a
building/room, an additional hub tee's things off.
Greetings all;
Is there someone familiar with fail2ban here?
I'm not an expert, but I do run it myself.
I just installed it and started it with the
installation
defaults, which I do not know since the init script has no "dump"
option.
Look at the default config file:
less /etc/fail2ban/fail2ban.conf
and the jail file:
less /etc/fail2ban/jail.conf
However that bit of hungry guard dog only
protects this machine,
leaving the other 4 or sometimes 5 on my local network still
open.
So specifically, is there a way to broadcast the rules it applies
to the other 4 or 5 machines, protecting them at the same time?
The way I would do that would be to install fail2ban on each
machine, and then periodically rsync the relevant config files from
one designated "master" copy to the other machines. You can
probably set that up as a cron job.
Actually, that's not really how I would do it. How I really would
do it would be to ensure that only one machine is directly exposed
to the internet. Let's say I had four machines, "groucho",
"harpo",
"chico" and "zeppo". Plus, of course, my modem/router has a
firewall. So I would have:
(ASCII art best viewed in a fixed-width font, like Courier)
internet
firewall (router/modem)
groucho
+-------+-------+------------+
harpo chico zeppo groucho, of course, also runs its own firewall,
giving defence in
depth: even if router firewall is compromised, the firewall on
groucho gives some additional security. harpo, chico and zeppo
don't have any firewall because they're all part of my trusted LAN.
(You may not trust your LAN, in which case by all means put
firewalls on everything.) Nothing can go directly from the internet
to the inner LAN, so groucho is the only machine that needs to run
fail2ban.
To SSH into chico, say, I would SSH into groucho, then SSH into
chico. There's probably a clever way of doing that in a single step
with ssh tunnelling, but that's beyond my level of expertise, so I
just do it with two steps.
Yes, one can add to its rules, but access is a cast iron b---h.
Cheers, Gene Heskett Or possibly broadcast them to the router, which
is running
dd-wrt, and which is considered one of the more bulletproof
reflash's about. I may be lucky, but since I do have a port
forward to allow my web server, there is a potential attack
point.
Does your router have a writable storage area? Apart from its own
configuration, of course?
---------------------------------------------------------------------
To unsubscribe, e-mail:
trinity-users-unsubscribe(a)lists.pearsoncomputing.net For additional
commands, e-mail: trinity-users-help(a)lists.pearsoncomputing.net Read
list messages on the web archive:
http://trinity-users.pearsoncomputing.net/ Please remember not to
top-post:
http://trinity.pearsoncomputing.net/mailing_lists/#top-posting
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>
11:30 p.m.
New subject: [trinity-users] Re: fail2ban advice needed
On Sunday 28 of August 2016 01:17:45 Gene Heskett wrote:
dd-wrt may have additional bells and whistles. It
seems to need a $70
router to have the resources to do port forwarding, customized iptables
rules and such. However, it has worked so well for me that I have not
had the urge to try some of the $30 routers. Competition generally
leads to a better, cheaper product.
The new user would be wise to survey what is available, and for how
much. But first learn the lingo well enough to determine if you need
feature such and such. dd-wrt is the only one I trust to not have a
back door in it. Someone else will have to attest for openwrt, and
tomato as I have exactly zero experience with them.
I've also previously used the dd-wrt, but after I get to know better
OpenWRT, it became my first choice. Part of flash is available as a
regular filesystem. Is there a proper packaging system. In short, much
more versatile than dd-wrt.
Anyway, when I last looked at the dd-wrt pages, so it seemed to me that
the development already stagnant for some time.
--
Slávek
28 Aug
28 Aug
12:02 a.m.
New subject: [trinity-users] Re: fail2ban advice needed
On Saturday 27 August 2016 19:30:46 Slávek Banko wrote:
On Sunday 28 of August 2016 01:17:45 Gene Heskett
wrote:
I can't argue that point Slávek. OTOH, what can you do to it that is not
already done so well that it Just Works(TM)? The last attack it might
have succumbed to had the whole Mary Ann rebuilt to guard against it in
something on the order of 36 hours, 2+ years ago. That included the
install bin's for several hundred routers. So BrainSlayer moved at more
than adequate speed IMO when the money and reputation was on the table.
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>
dd-wrt may have additional bells and whistles.
It seems to need a
$70 router to have the resources to do port forwarding, customized
iptables rules and such. However, it has worked so well for me that
I have not had the urge to try some of the $30 routers. Competition
generally leads to a better, cheaper product.
The new user would be wise to survey what is available, and for how
much. But first learn the lingo well enough to determine if you need
feature such and such. dd-wrt is the only one I trust to not have a
back door in it. Someone else will have to attest for openwrt, and
tomato as I have exactly zero experience with them.
I've also previously used the dd-wrt, but after I get to know better
OpenWRT, it became my first choice. Part of flash is available as a
regular filesystem. Is there a proper packaging system. In short, much
more versatile than dd-wrt.
Anyway, when I last looked at the dd-wrt pages, so it seemed to me
that the development already stagnant for some time.
3037
days inactive
3038
days old
6 comments
4 participants
participants (4)
-
deloptes -
Gene Heskett -
Slávek Banko -
Steven D'Aprano