Benjamin, Well I'm confused, your adaptive ban variables must be uppercase, the ADAPTIVE_BAN_FILE is missing the leading '/' and not sure what the ** is.
If your "/etc/arno-iptables-firewall/plugins/adaptive-ban.conf" file has got corrupted, the default can be found at "/stat/etc/arno-iptables-firewall/plugins/adaptive-ban.conf". As the comments in adaptive-ban.conf suggest... -- # A list of analysis types that are applied # Choose from: sshd asterisk lighttpd prosody pptpd # ------------------------------------------------------------------------------ ADAPTIVE_BAN_TYPES="sshd asterisk prosody" -- Simply, the adaptive ban plugin (like fain2ban) continually monitors a log file "/var/log/messages" looking for standard error messages that could be a result of an attack, the IPv4 or IPv6 address is noted and extracted to be banned. Lonnie On Mar 2, 2014, at 5:55 PM, Benjamin L. Naber wrote: > I guess I am still not understanding. > > This is my adaptive-ban.conf: > > adaptive_ban_file="var/log/messages" > adaptive_ban_time=120 > adaptive_ban_count=1 > adaptive_ban_type="sshd asterisk" ** > > I have attempted to all of these, one at a time, AIF,aif,IDS,ids, into > the ban_type and the log says: > adaptive-ban: Unsupported type "AIF" (or any of the others) > > the fail2ban website is french to me, so I think I need a little more > guidance. > > I see the adaptive ban works with types sshd, asterisk, and httpd, but > nothing else? I know very little of scripting, an while trying to > understand the adaptive-ban.plugin file on fossies.org just isn't making > sense to me. > > ~Benjamin > > > On Sat, 2014-03-01 at 21:57 -0600, Lonnie Abelbeck wrote: >> Benjamin, >> >> The ids-protection plugin is not like fail2ban, our adaptive-ban plugin is >> like fail2ban. >> >> The ids-protection plugin uses iptable's "recent" module, google will help >> understand how that works. Only relatively short term ban persistence as I >> understand it. >> >> The adaptive-ban plugin ban persistence is until the next time the firewall >> is restarted, and then it will reapply any bans as per the current >> /var/log/messages log. >> >> Lonnie >> >> >> On Mar 1, 2014, at 9:10 PM, Benjamin Naber wrote: >> >>> Greets all, >>> >>> I am trying to figure out the IDS ban plugin for the firewall. >>> >>> I've been told it was similar to fail2ban, however, I have yet to >>> understand how to define a statement for (whatever program/plugin) to >>> ban an IP for a given length of time when the log on the main page >>> states: >>> >>> AIF:IDS violation: IN=eth1 OUT= >>> MAC=00:e0:c5:6a:7e:c4:00:01:5c:3e:b2:41:08:00 SRC=70.67.206.31 DST=[my >>> IP] LEN=52 TOS=0x00 PREC=0x00 TTL=118 ID=27721 DF PROTO=TCP SPT=55260 >>> DPT=38438 WINDOW=8192 RES=0x00 SYN URGP=0 >>> >>> for repeat offenders and IDS is supposed to do something, it does not. >>> It simply displays the AIF:IDS violation. >>> >>> In /mnt/kd/blocked-hosts, when I enter either the host IP, or the >>> network/CIDR of the offender, such in this case, 70.67.206.0/24, >>> I will never see the address in the messages log trying to access my >>> stuff again. >>> >>> How do I have (whatever it is I need) add that IP address to the >>> blocked-hosts file? >>> >>> I am not interested in a temp ban, as I have blocked IPs for a given >>> time, unblocked them, only to find the same IP trying to get into my >>> stuff. >>> >>> Please advise. >>> >>> ~Benjamin >> >> >> ------------------------------------------------------------------------------ >> Flow-based real-time traffic analytics software. Cisco certified tool. >> Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer >> Customize your own dashboards, set traffic alerts and generate reports. >> Network behavioral analysis & security monitoring. All-in-one tool. >> http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk >> _______________________________________________ >> Astlinux-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to >> [email protected]. > > ------------------------------------------------------------------------------ > Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce. > With Perforce, you get hassle-free workflows. Merge that actually works. > Faster operations. Version large binaries. Built-in WAN optimization and the > freedom to use Git, Perforce or both. Make the move to Perforce. > http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk_______________________________________________ > Astlinux-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > [email protected]. ------------------------------------------------------------------------------ Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce. With Perforce, you get hassle-free workflows. Merge that actually works. Faster operations. Version large binaries. Built-in WAN optimization and the freedom to use Git, Perforce or both. Make the move to Perforce. http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk _______________________________________________ Astlinux-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to [email protected].
