I’m posting for advice as to the _best_ way to protect “Shellinabox” (SIAB) on a server. I -have- found a solution, but I’m curious if anyone in the community has come up with a better solution.
While it might seem like it would be similar to protecting sshd, the fact that it runs through another port (externally 80, or better yet 443) and through a reverse proxy makes it nonstandard to log-parse. The problem that I ran up against is that SIAB behind a reverse proxy doesn’t return/log the actual remote IP address; it miserably reports localhost or 127.0.0.1 - in a nutshell, the /var/log/auth.log will show an authentication failure, but the remote host can’t be determined from this log. This is a documented shortcoming/“feature”/bug, that has been nagging some of us users for years. My way around it was to create 2 jails: The first one (which doesn’t do any jailing, just merging 2 logs) called SIAB-logger which triggers an action/search for appropriate matches showing authentication failures on 127.0.0.1, and then parses their TIMESTAMP. Once this timestamp is pinned down, the action/script parses /var/log/lighttpd/access.log for specific strings that mark GET’s pointed to the SIAB proxy server. From the access.log the true remote host/IP is parsed, and then the HOST and TIMESTAMP are printed to a new log, say /var/log/SIABfailures.log. The second jail SIAB does the actual jailing, just like any https jail would do. It parses the /var/log/SIABfailures.log and bans the remote host accordingly, as you’d expect. I reflected on the problem a good bit, but was unable to come up with a -single jail- solution, since a single log containing all relevant info doesn’t exist w/o the first jail’s logging work. I thought about declaring both (auth.log and lighttpd/access.log) logfiles in a single jail, but couldn’t work out how to “AND” or intersect the matches of two filters simultaneously. My background w/ regex, and the the like is limited. Perhaps someone out there has already solved this problem in an more succinct way? Thanks in advance, Dave ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
