fail2ban or similar concept
Alan DeKok
aland at deployingradius.com
Thu Sep 1 20:21:22 UTC 2022
On Sep 1, 2022, at 4:00 PM, Brantley Padgett via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>
> I'm trying to build a new radius server and add some security from our current system. I'm curious if there's any kind of abuse/banning type concept built in, or if anyone is running something like fail2ban along side freeradius?
>
> In the process of building a new server (and migrating from Solaris to Linux) I've found a disturbing amount of login attempts from some IPs and was hoping if nothing else to slow that onslaught some.
What kind of "login attempt" do you mean?
FreeRADIUS only accepts packets from (a) clients with known IP addresses, and (b) clients who have the correct shared secret. So that solves essentially all of the "fake packet" problems.
For people trying username / password combinations, there isn't a lot you can do. Any unauthenticated system can do 802.1X, or anything similar which "tries to login". The NAS has to send such packets to the server.
You can't ban the NAS, because it's a real RADIUS client used by good users. You can't really ban the users based on multiple login attempts, because the names are used by "real" users, too. You can't usually ban by MAC address, because the attackers can easily spoof that.
So what are you trying to do? Your question is rather bit vague.
What kind of traffic are you seeing? What is common to the "bad" traffic, which you don't see in the "good" traffic?
Alan DeKok.
More information about the Freeradius-Users
mailing list