|
On 10/6/19 1:07 PM, Mike wrote:
It seems by default, many of the fail2ban jails are rejecting incoming traffic with this iptables option: See https://github.com/fail2ban/fail2ban/issues/507.
In my opinion, there is no compelling pro or con, though rejects should
lessen overall inbound traffic. Is there an advantage of doing this over simply just DROP'ing the packets themselves? Well-behaved clients should terminate a TCP session
attempt after icmp-port-unreachable. icmp-port-unreachable should
also discourage unwanted UDP. I happen to use --reject-with icmp-admin-prohibited and --reject-with icmp6-adm-prohibited (to more easily discern such deliberate rejects in a packet capture): many clients appear to immediately attempt repeated TCP SYNs. Using DROP causes most TCP clients to retry SYNs until they time out. There are some (when not banned prior to arrival) "doorbell
ringers" that send a single SYN, receive the ACK, then send RST
(or worse, leave off the RST resulting in TCP half-open, for which
there is net.ipv4.tcp_synack_retries=1) and these will not be seen
by fail2ban filters. Wouldn't this let the remote system know you're actively closing a potentially un-opened port, vs, if you just never replied to the inquiry they remote system would believe there is no service at that port? icmp-port-unreachable is sent when the destination port lacks a
bound socket (or fail2ban has been instructed to send it
regardless of port state). I'm curious what the best way to stop repeat traffic might be? Setting long ban times (1w or longer) seems to diminish some but not all undesirable traffic (perhaps the more intelligent adversaries economize based on rejections), but that undesirable traffic will eventually return (to join the yet to be banned undesirable traffic). Determining what is most efficacious requires long-duration traffic analysis and will vary based on the target and its adversaries. Amuse yourself by trying various ICMP
rejects (as well as a simple DROP). Observe the traffic to
see how adversaries respond. |
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
