RE: fail2ban or similar concept
Apparently I signed up for digest to the list and not sure how to change that back so your reply did not come to my inbox. I'm sorry if this starts a new thread. Alan said: " What kind of "login attempt" do you mean? FreeRADIUS only accepts packets from (a) clients with known IP addresses, and (b) clients who have the correct shared secret. So that solves essentially all of the "fake packet" problems. For people trying username / password combinations, there isn't a lot you can do. Any unauthenticated system can do 802.1X, or anything similar which "tries to login". The NAS has to send such packets to the server. You can't ban the NAS, because it's a real RADIUS client used by good users. You can't really ban the users based on multiple login attempts, because the names are used by "real" users, too. You can't usually ban by MAC address, because the attackers can easily spoof that. So what are you trying to do? Your question is rather bit vague. What kind of traffic are you seeing? What is common to the "bad" traffic, which you don't see in the "good" traffic? Alan DeKok. " True, definitely not anything of that ilk. I guess what I mean is for example, just combing through the logs of the soon to be retired server and I see one IP in particular that has made failed auth requests 1.9mil times since Jun 2022. That IP is not one of ours and it just seems to me reckless to allow that to happen unchecked. I wanted to check if freeradius had some form of limiting/banning built in that I just didn't understand before trying to make something like fail2ban work. I've only used f2b for ssh monitoring which uses already established filters to comb the logs looking for the failed attempts, and the logs for radius I think will be easy enough for a filter, I didn't want to reinvent the wheel if there was already a good method available. My apologies again if faking a reply causes issues with the original thread. Brantley Padgett The question is not how far. The question is, do you possess the constitution, the depth of faith, to go as far as is needed? -Boondock Saints
On 02/09/2022 04:20, Brantley Padgett via Freeradius-Users wrote:
I guess what I mean is for example, just combing through the logs of the soon to be retired server and I see one IP in particular that has made failed auth requests 1.9mil times since Jun 2022. That IP is not one of ours and it just seems to me reckless to allow that to happen unchecked.
Which is why you run RADIUS servers on internal back-end networks that are not publicly available. Don't permit IPs that are not yours from having access to the RADIUS server in the first place.
I wanted to check if freeradius had some form of limiting/banning built in that I just didn't understand before trying to make something like fail2ban work.
No, because you don't expose your RADIUS server to the world. But if you have logs identify IPs you want to block, that's exactly what fail2ban is for - get it to add a firewall rule like you would do for any other service. As Alan said, FreeRADIUS already ignores any unknown clients anyway, so you'd just firewall out the noise. -- Matthew
Figured out how to turn off digest! whoohoo!!
No, because you don't expose your RADIUS server to the world.
That is outside my control. We have clients all over the country, most with no means to tunnel private IP space between, so the decision was made. Had I been there when that decision was made I would've raised a hand, or a couple of middle fingers.
that's exactly what fail2ban is for
Understood, that's kinda what I suspected but just wanted to double check. Thank you & Alan for the pointers. Brantley Padgett The question is not how far. The question is, do you possess the constitution, the depth of faith, to go as far as is needed? -Boondock Saints On Thursday, September 1, 2022, 10:31:42 PM CDT, Matthew Newton <mcn@freeradius.org> wrote: On 02/09/2022 04:20, Brantley Padgett via Freeradius-Users wrote:
I guess what I mean is for example, just combing through the logs of the soon to be retired server and I see one IP in particular that has made failed auth requests 1.9mil times since Jun 2022. That IP is not one of ours and it just seems to me reckless to allow that to happen unchecked.
Which is why you run RADIUS servers on internal back-end networks that are not publicly available. Don't permit IPs that are not yours from having access to the RADIUS server in the first place.
I wanted to check if freeradius had some form of limiting/banning built in that I just didn't understand before trying to make something like fail2ban work.
No, because you don't expose your RADIUS server to the world. But if you have logs identify IPs you want to block, that's exactly what fail2ban is for - get it to add a firewall rule like you would do for any other service. As Alan said, FreeRADIUS already ignores any unknown clients anyway, so you'd just firewall out the noise. -- Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
+1 on private networks here but…. Why not positively firewall them and drop the other noise in the kernel (or do this step upstream as an ACL on router / firewall whatever makes most sense). If I ‘had’ to do it this way, then….. I’d create an nftables config containing something like…. #!/usr/sbin/nft -f flush ruleset table inet filter { include “/etc/nftables.include/radiusclientips.nft” chain filter { type filter hook input priority 0; udp saddr @radiusclientips dport { 1812, 1813 } accept udp dport {1812,1813} counter drop … … } } Then in the include you do… set radiusclientips { type ipv4_addr flags interval elements = { 1.2.3.4/32, 4.5.6.7/32, 10.0.0.0/24, …. } } Quite easy to create this include ‘from’ the clients file / database / whatever and indeed if you are feeling like doing a little more work you don’t have to ‘reload’ the whole config to update the set they can be dynamically updated. (No, I haven’t tested the config but you get the idea). No more noise and at least the number of source IP’s that can get to your server is limited to those that should be talking RADIUS. A. From: Freeradius-Users <freeradius-users-bounces+alister.winfield=sky.uk@lists.freeradius.org> on behalf of Brantley Padgett via Freeradius-Users <freeradius-users@lists.freeradius.org> Date: Friday, 2 September 2022 at 04:40 To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Cc: Brantley Padgett <brantleyp1@yahoo.com> Subject: [EXTERNAL] Re: fail2ban or similar concept Figured out how to turn off digest! whoohoo!!
No, because you don't expose your RADIUS server to the world.
That is outside my control. We have clients all over the country, most with no means to tunnel private IP space between, so the decision was made. Had I been there when that decision was made I would've raised a hand, or a couple of middle fingers.
that's exactly what fail2ban is for
Understood, that's kinda what I suspected but just wanted to double check. Thank you & Alan for the pointers. Brantley Padgett The question is not how far. The question is, do you possess the constitution, the depth of faith, to go as far as is needed? -Boondock Saints On Thursday, September 1, 2022, 10:31:42 PM CDT, Matthew Newton <mcn@freeradius.org> wrote: On 02/09/2022 04:20, Brantley Padgett via Freeradius-Users wrote:
I guess what I mean is for example, just combing through the logs of the soon to be retired server and I see one IP in particular that has made failed auth requests 1.9mil times since Jun 2022. That IP is not one of ours and it just seems to me reckless to allow that to happen unchecked.
Which is why you run RADIUS servers on internal back-end networks that are not publicly available. Don't permit IPs that are not yours from having access to the RADIUS server in the first place.
I wanted to check if freeradius had some form of limiting/banning built in that I just didn't understand before trying to make something like fail2ban work.
No, because you don't expose your RADIUS server to the world. But if you have logs identify IPs you want to block, that's exactly what fail2ban is for - get it to add a firewall rule like you would do for any other service. As Alan said, FreeRADIUS already ignores any unknown clients anyway, so you'd just firewall out the noise. -- Matthew - List info/subscribe/unsubscribe? See https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=05%7C01%7Calister.winfield%40sky.uk%7C34b1131d03b94b5b911a08da8c94dceb%7C68b865d5cf184b2b82a4a4eddb9c5237%7C0%7C0%7C637976868245932456%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=QjrG78gl%2FU1H734%2BVukssyQIjuOIO9gZd7z4bDH0Pfk%3D&reserved=0 - List info/subscribe/unsubscribe? See https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=05%7C01%7Calister.winfield%40sky.uk%7C34b1131d03b94b5b911a08da8c94dceb%7C68b865d5cf184b2b82a4a4eddb9c5237%7C0%7C0%7C637976868245932456%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=QjrG78gl%2FU1H734%2BVukssyQIjuOIO9gZd7z4bDH0Pfk%3D&reserved=0 -------------------------------------------------------------------- This email is from an external source. Please do not open attachments or click links from an unknown or suspicious origin. Phishing attempts can be reported by using the report message button in Outlook or sending them as an attachment to phishing@sky.uk. Thank you -------------------------------------------------------------------- Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of Sky Limited and Sky International AG and are used under licence. Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075), Sky Subscribers Services Limited (Registration No. 2340150) and Sky CP Limited (Registration No. 9513259) are direct or indirect subsidiaries of Sky Limited (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD
participants (3)
-
Brantley Padgett -
Matthew Newton -
Winfield, Alister (Senior Solutions Architect)