Hi Cyril, Following this bug report: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=366112 I've decided to add this feature request to your list ;-)
Now maxfailures doesn't distinguish between different attack attempts,
so there is no difference if there is 5 unsuccessful attempts for the
same account (can be simply due to bad gray brain cells of the users),
or there is a sweep of 5 different tested login names.
Even more relevant: if there is an attack on apache trying to
exploid known vulnerability, they blindly go through various URLs which
could be present on the server. So pretty much as with different login
names during SSH attack. A single url from within this set can be valid
on its own, thus we should not ban the IP if it has multiple accesses to
the same "valid" URL.
Do you think it would make sense to add "maxdifffailures" which would
spot for the scanning attempts. It would be useful for ssh as well, so
we could raise maxfailures up to 10 to allow users with bad memory
finally get to their password, but have maxdifffailures around 4, so if
there is a sweep of attempts (different login names, different known
"weak" urls, etc), then it gets baned sooner. Can be quite easily
implemented by adding a named group in current regexps (named as
"target"), and keeping a list of hit targets for every detected attacker
IP. As soon as list gets longer than maxdifffailures - ban it.
Please let me know what you think!
I think I can implement it in the current version (as soon as I get to
fail2ban :-) -- I have a backlog of things to do on it already, I know
;-))
On Fri, 05 May 2006, Yaroslav Halchenko wrote:
> I doubt that this wishlist should be addressed due
> 1. fail2ban works at the moment independently on each log line, thus it
> is impossible to discriminate between multiple occasions of a single
> line (which could be totally "legal") or different multiple matches.
> 2. xmlrpc vulnerability was fixed and there are multiple softwares
> using it, and we don't want to block hosts which would access xmlrpc.php
> for a good reason ;-)
> thus at the moment I don't see this rule implemented.
> but I would suggest to rephrase this wishlist may be as a new feature
> request to have multiple separate regexps, and ban
> if a given IP scans through the list, trying to sense present vulnerable
> software. If you agree that it might be useful -- I would forward this
> wishlist upstream. If you think that the issue is minor - I would like
> to close the bug with "wontfix"
--
.-.
=------------------------------ /v\ ----------------------------=
Keep in touch // \\ (yoh@|www.)onerussian.com
Yaroslav Halchenko /( )\ ICQ#: 60653192
Linux User ^^-^^ [175555]
pgpgLgL2iU75S.pgp
Description: PGP signature
