[Firewall] Help with Adaptive Ban Plugin
lists at lonnie.abelbeck.com
Wed Oct 17 01:26:16 CEST 2012
Short answer, if you are running CentOS 5 and need mail- and ftp-related protection, then Fail2Ban is the best choice for you.
The longer answer...
As you know the Adaptive Ban Plugin is not part of the 'standard' AIF plugin suite, but rather referenced from the AstLinux project www.astlinux.org , BTW I am one of the current developers there.
AstLinux is small ( < 40MB ) and targeted for inexpensive, low-end x86 embedded platforms such as AMD Geode and Intel Atom multi-NIC boards. As such Fail2Ban is a no-go for us, not to mention we don't include python. It is no surprise we jumped on the Arno Firewall bandwagon years ago with it's minimal resource requirements.
One of AstLinux's primary features is running Asterisk www.asterisk.org to create a PBX, as such often SIP must be exposed to the public, and since there is money in making phone calls, there is plenty of hack-ware available to attack open SIP services such as Asterisk. This was the primary reason we developed the Adaptive Ban Plugin for AIF, and from user feedback it works well. The current Adaptive Ban Plugin has only a limited set of analysis types:
# A list of analysis types that are applied
# Choose from: sshd asterisk lighttpd mini_httpd pptpd
This list is designed around our needs, and uses a single shared log file (syslog). Though look at "adaptive-ban-helper" and new 'recipes' can be easily added, but requires getting intimate with the service's log files, possibly looking at Fail2Ban for a guide.
On Oct 16, 2012, at 12:46 PM, Gene Cooper wrote:
> Hi Folks,
> I use AIF to protect a (colo) production hosting box in a data center. (CentOS 5, Virtualmin)
> I have used Fail2Ban in the past. It works well; it's reliable; it's a little bit a pain to set up.
> Since I already have AIF installed (2.0.0b IIRC), I thought I would investigate the Adaptive Ban plugin before implementing Fail2Ban. The brute force scripts are starting to impact performance.
> Is the Adaptive Ban plugin appropriate for general use? I'm mostly concerned about mail- and ftp-related services and SSH (which I have on a non-standard port).
> If there is any documentation on plugin usage or Adaptive Ban plugin in particular, please point me in the right direction.
> I am specifically looking for a howto to implement the AB plugin. Or even just useful comments.
> Thanks in advance,
> Gene Cooper
> Sonora Communications, Inc.
> 936 W. Prince Road
> Tucson, AZ 85705
> (520)407-2000 x101
> (520)888-4060 fax
More information about the Firewall