Home_greyopenFATE - openSUSE feature tracking > #305285
Dashboard | Search | Sign up | Login

Please login or register to be able to edit or vote this feature.

dictionary and DoS attack protection based using log scanning and dynamic firewall ban

Feature state

openSUSE Distribution
Unconfirmed
openSUSE-11.2
Rejected Information
openSUSE-11.3
Rejected Information

Description

Detailed Description

For these attackss, usually the application/service will not allow the attacker to break in, however once a malicious password guess or DoS attack is done, baning the connection for some minutes and then an unban time of several minutes is usually enough to stop a network connection being flooded, as well as reducing the likelihood of a successful dictionary attack.

The situation goes this way:

- attacker starts a password guess
- the system detects Y continuous failed attempts to login in the log file of the service
- the system issues an iptables action to block the ip for X minutes.
- after X minutes, the ip is allowed again

- attacker starts a DoS attack
- the system detects Y continuous connections without login
- the system issues an iptables action to block the ip for X minutes.
- after X minutes, the ip is allowed again

Scope

To provide an extra option in the firewall which allows to select which services to monitor (usually by looking at patterns in the log file ) and block the ip for a configurable interval once a dictionary attack or DoS is suspected. The option could be as well in the service module (or in both) or even in the specific service configuration module. Usually parameters to configure are the patterns and the actions.

Also, YaST should tell the user to install the required packages if this option is enabled.

To be defined in the scope is how much configurability is needed. If known services will be protected, or if a generic way to define protection for an arbitrary service is desired.

Possible Implementation

Fail2Ban provices right now most of the functionality. Provides a service that allows to define jails, a jail is a pattern and an action. A service can have more than one jail. For example the patterns for an ssh DoS attack is different than a dictionary attack on the same service, and the ban times may be different.

Fail2Ban provides generic functionality not tied to any specific service and comes with predefined patterns and actions for various popular services as sshd, apache2 http authentication and others.

http://en.wikipedia.org/wiki/Fail2ban
http://www.fail2ban.org

YaST would need to write the configuration about which patterns to use depending on the service to protect, or optionally define patterns for unknown services, same with actions, and start or stop the service depending on this functionality being enabled or not.

Test Plan

Doing serveral failed attempts on the ssh server should block the user for 3 minutes. Simple testcase.

User Experience

The functionality should be availabe in a clever location (which can be more than one, for example, firewall, services or the specific module), allowing to turn it on with sane defaults (hopefully provide the defaults fail2ban provides). The user can see the blocked attempts in the logs.

Dependencies

Using the fail2ban approach would require the fail2ban package, which in turns requires python, available in the openSUSE build service from a community user home project. (home:leonardocf)

Contingency Plan

None, as the functionality was not available before.

Relations

Discussion


icons/user_comment.png F. L. wrote: (9 years ago)

I don't know about the enteprise angle (I need to think), but for the community distro it seems quite a cool feature.

icons/user_comment.png C. T. wrote: (9 years ago)

We won't be able to implement this feature in 11.2 within the YaST teams. Maybe still something for the community?

icons/user_comment.png P. L. wrote: (8 years ago)

Denyhosts is a python module running as a daemon available in network:utilities with similar functionality.I've used it with good success on several SLES servers and desktops.

icons/user_comment.png H. d. wrote: (7 years ago)

The package fail2ban seems to be included in the distro nowadays (11.3), and some rudimentary configuration can be done thru yasts' sysconfig-editor.
It would be nice though to have more configurability added to the security & users -> firewall Yast module for this very handy package, or some similar package.

Last change: 5 years ago
Voting
Score: 30
  • Negative: 0
  • Neutral: 0
  • Positive: 30
Feature Export
Application-xmlXML   Text-x-logPlaintext   PrinterPrint