blocking access attempts by IP address

[Barrydocks]

We have had a number of breaking attempts via ssh.  Nobody has got in but it floods the syslogs with alerts.  Is there any way to configure the zentyal firewall and/or IDS to block access according to number of failed attempts and IP address?  I suspect it might be do able via the events and dispatchers?

Thanks

[half_life]

fail2ban is your friend.  A quick search in the forums will provide info on it.  The other thing you can do is only allow ssh via specific IP addresses.  I routinely use the second option.

[Barrydocks]

will fail2ban work ok with zentyals firewall?

I can't allow ssh from a specific IP address as it is often dynamic
thanks

[christian]

I can't allow ssh from a specific IP address as it is often dynamic

  sure but post title, except if I totally misunderstand, is about controlling IP isn't it ?
So what's your goal exactly ?

[robb]

Why not disallow SSH from the outside and only accept SSH from local network. Use VPN to get to the inside from external locations.

[ichat]

@rob or do both...  fail2bann can be applied to openvpn also... if im not mistaking...

scriptkiddo's  ussually run portscanns on ssh  ports... because manny 'home made' webservers run it without protection...

[Barrydocks]

@christian - I can't allow access from a specified IP address as the IP of the client machine is allocated dynamically by the ISP and so will change periodically.

@rob - I need ssh as I run rsync over an ssh connection as a cron job for automated off site back up - I don't know how to set this up over a vpn 

What I want is to block access from an IP address where there have been more than X number of failed login attempts.  @ichat - Fail2Ban looks ideal but will it work with the zentyal firewall?

[christian]

Do I misunderstand thinking that you connect "from" Zentyal to external site in order to externalize backup ? In such case, you don't need any SSH listener Zentyal server side as Zentyal is acting as a client.

If this is just the opposite (Zentyal acting as backup platform for external client) than you can use SSH (and must open SSH port) but you can also change SSH authentication method to do this using certificate instead of login/password 
Not default Zentyal setting (if I remember well) but perhaps worth the effort.

[Barrydocks]

Thanks christian, both servers are running zentyal (one is v2.0 the other v2.2 - I gave up with v3.0 ).  To enable automated rsync jobs via ssh login is already via an RSA key so no password is required - it's really easy to setup   On most of my servers I generally have password authentication disabled for ssh but on one I need it enabled, this is the one I would like to block failed login attempts.

[christian]

So, there is basically nothing you can do 
you need to have SSH with password enabled, can't control source IP as this id dynamic and ask to block IP addresses 

I'm a bit confused here.

Investigate fail2ban further as this is most likely the only (or similar) way to automatize something.
I would also look twice at Rob's advice and set up VPN tunnel between your 2 servers in order to implement rsync within this tunnel.

[Barrydocks]

Christian read this bit again:

What I want is to block access from an IP address where there have been more than X number of failed login attempts.

It's not that hard to grasp 

Fail2ban looks like it will do the job, but t works by modifying the IPtables on the ubuntu firewall - what I want to know is whether or not it will work with zentyals firewall?

[christian]

sure, as a principle it's not that hard to grasp but.... it just doesn't exist out-of-the-box 

If fail2ban doesn't work you can still connect to IdeaZentyal and add your own request.

[half_life]

Barrydocks,  what did your research in the forums lead you to believe about fail2ban working?  Let us look at how Zentyals firewall works.  It uses iptables.   Fail2ban uses iptables.   I think the two are speaking the same language.  Fail2ban watches incoming logs to find culprits to ban.  It then injects an iptable rule blocking the ip address for a specified period of time.  Then it removes that rule.  Seems pretty simple to me.  I found many people discussing installing fail2ban on Zentyal in the forums.  I didn't find anyone yelling and screaming about it breaking anything.

[Barrydocks]

Thanks half_life

I realise that both fail2ban and zentyal firewall both use IPtables, my concern was based on the fact that zentyal tends to over write changes made to config files (hence the need for the pre and post set hooks).

I did do a search on the forum for fail2ban but only this post was found

I'll give it a try and see what happens

[Sam Graf]

One of the "sneaky tricks" of SMF search is that it's global only from the home page, it seems. I found a few more results when searching from there.