[nos-bbs] fail2ban and denial of service
Michael E Fox - N6MEF
n6mef at mefox.org
Mon Feb 9 22:07:14 EST 2015
> For what purpose should a user try root 'a few times' ?
> If the IP is blocked, then the sysop can have a chat with the user :)
Right, *if* the sysop on the originating BBS realizes it. The problem is
that when the originating BBS sysop realizes it, he's already cut off. And
he may not be aware of the problem until much later, such as when someone
complains that messages aren't being forwarded.
So, the end result is: instead of the bad user failing to log into the
target (no damage), the bad user has successfully shut off legitimate
communication from the entire source BBS to the target. In other words, the
cure could be worse than the disease.
Fail2ban allows one to exempt IPs from all or some jails. I suppose one
could exempt one's forwarding partners. That would only leave one open to
attacks by the few users on each of one's forwarding partners.
Alternatively, perhaps a different "jail" with a shorter ban timeout could
be defined for forwarding partners. I don't know if it's possible to limit
a jail to apply only to certain IPs. But if that's posible, then that could
slow down a brute force attack by making them come back later. In the
meantime, forwarding could occur. And if the target BBS's sysop enables
email alerts from fail2ban, they'd see that a particular system in getting
repeated bans and could then have a chat with the source BBS sysop.
Perhaps there are additional strategies? Hmmm. I've gotta think this
through a bit more.
More information about the nos-bbs