+1 on private networks here but…. Why not positively firewall them and drop the other noise in the kernel (or do this step upstream as an ACL on router / firewall whatever makes most sense). If I ‘had’ to do it this way, then….. I’d create an nftables config containing something like…. #!/usr/sbin/nft -f flush ruleset table inet filter { include “/etc/nftables.include/radiusclientips.nft” chain filter { type filter hook input priority 0; udp saddr @radiusclientips dport { 1812, 1813 } accept udp dport {1812,1813} counter drop … … } } Then in the include you do… set radiusclientips { type ipv4_addr flags interval elements = { 1.2.3.4/32, 4.5.6.7/32, 10.0.0.0/24, …. } } Quite easy to create this include ‘from’ the clients file / database / whatever and indeed if you are feeling like doing a little more work you don’t have to ‘reload’ the whole config to update the set they can be dynamically updated. (No, I haven’t tested the config but you get the idea). No more noise and at least the number of source IP’s that can get to your server is limited to those that should be talking RADIUS. A. From: Freeradius-Users <freeradius-users-bounces+alister.winfield=sky.uk@lists.freeradius.org> on behalf of Brantley Padgett via Freeradius-Users <freeradius-users@lists.freeradius.org> Date: Friday, 2 September 2022 at 04:40 To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Cc: Brantley Padgett <brantleyp1@yahoo.com> Subject: [EXTERNAL] Re: fail2ban or similar concept Figured out how to turn off digest! whoohoo!!
No, because you don't expose your RADIUS server to the world.
That is outside my control. We have clients all over the country, most with no means to tunnel private IP space between, so the decision was made. Had I been there when that decision was made I would've raised a hand, or a couple of middle fingers.
that's exactly what fail2ban is for
Understood, that's kinda what I suspected but just wanted to double check. Thank you & Alan for the pointers. Brantley Padgett The question is not how far. The question is, do you possess the constitution, the depth of faith, to go as far as is needed? -Boondock Saints On Thursday, September 1, 2022, 10:31:42 PM CDT, Matthew Newton <mcn@freeradius.org> wrote: On 02/09/2022 04:20, Brantley Padgett via Freeradius-Users wrote:
I guess what I mean is for example, just combing through the logs of the soon to be retired server and I see one IP in particular that has made failed auth requests 1.9mil times since Jun 2022. That IP is not one of ours and it just seems to me reckless to allow that to happen unchecked.
Which is why you run RADIUS servers on internal back-end networks that are not publicly available. Don't permit IPs that are not yours from having access to the RADIUS server in the first place.
I wanted to check if freeradius had some form of limiting/banning built in that I just didn't understand before trying to make something like fail2ban work.
No, because you don't expose your RADIUS server to the world. But if you have logs identify IPs you want to block, that's exactly what fail2ban is for - get it to add a firewall rule like you would do for any other service. As Alan said, FreeRADIUS already ignores any unknown clients anyway, so you'd just firewall out the noise. -- Matthew - List info/subscribe/unsubscribe? See https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=05%7C01%7Calister.winfield%40sky.uk%7C34b1131d03b94b5b911a08da8c94dceb%7C68b865d5cf184b2b82a4a4eddb9c5237%7C0%7C0%7C637976868245932456%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=QjrG78gl%2FU1H734%2BVukssyQIjuOIO9gZd7z4bDH0Pfk%3D&reserved=0 - List info/subscribe/unsubscribe? See https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=05%7C01%7Calister.winfield%40sky.uk%7C34b1131d03b94b5b911a08da8c94dceb%7C68b865d5cf184b2b82a4a4eddb9c5237%7C0%7C0%7C637976868245932456%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=QjrG78gl%2FU1H734%2BVukssyQIjuOIO9gZd7z4bDH0Pfk%3D&reserved=0 -------------------------------------------------------------------- This email is from an external source. Please do not open attachments or click links from an unknown or suspicious origin. Phishing attempts can be reported by using the report message button in Outlook or sending them as an attachment to phishing@sky.uk. Thank you -------------------------------------------------------------------- Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of Sky Limited and Sky International AG and are used under licence. Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075), Sky Subscribers Services Limited (Registration No. 2340150) and Sky CP Limited (Registration No. 9513259) are direct or indirect subsidiaries of Sky Limited (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD