Myself and some associates have been working on a project that was mentioned before on this list. A "pre-filter" that makes a great addendum to F2B. Our tests have shown with login-shield in place, it cuts down the F2B banned traffic by 95+%!
We've finally got a public release, ready for people to test here: https://github.com/DPsystems/Login-Shield We call this, "Login-Shield" - it's a set of shell scripts that create an ipset blacklist of large blocks of IP space that are common vectors for hacks/attacks/probes. This is an initial line of defense that sits in front of F2B on the server and logs/drops traffic to login-based ports (ftp,ssh,imap,pop3,ftp, etc). By default it doesn't mess with mail (smtp) or web traffic. It's main intention is to stop system probes to find login credentials, which seems to be a major source of unwanted bot activity. One script creates the blacklist, then there's a series of 4 other scripts that add various types of IP blocks to the blacklist - you can edit the IP lists and remove any systems you want to enable. Then there's one last script which activates the blacklist via iptables. All of the scripts can be reversed with the "del" parameter as well. This is an initial public beta release - we've been testing it now for several months and it looks very promising. It requires very little memory (18k RAM with 314 entries in the BL) and even with that little bit, it puts a huge stop to the vast majority of system probes. This system was developed primarily for use with American servers who may not have any clients overseas who need to login. It could easily be adapted for use anywhere. I also include a IP blacklist of common US-based hosting companies that are common sources of bot attacks - I use these in my local blacklist as well, just making sure to either whitelist my/client IPs or remove any IP ranges that might affect me. These IP-based blacklists cover a big chunk of IPV4 space.. various class A and class Bs that are attributed to common threat sources such as China, Korea, Russia, Mexico, South America, etc. There is also a blacklist of known proxies and VPNs as well as a list of American IP space that covers the lion's share of cloud/hosting - you can pick and choose which categories and which IP groups you want to block. These are large blocks - leaving F2B to catch the rest in smaller blocks. Take a look at the script - let me know what you think? This can dramatically improve the security of your server and require less resources. I hope to continue to develop this to make it more powerful and flexible. - DP
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
