fail2ban or similar concept

Brantley Padgett brantleyp1 at yahoo.com
Fri Sep 2 03:20:35 UTC 2022


Apparently I signed up for digest to the list and not sure how to change that back so your reply did not come to my inbox. I'm sorry if this starts a new thread.

Alan said:
"
What kind of "login attempt" do you mean?

  FreeRADIUS only accepts packets from (a) clients with known IP addresses, and (b) clients who have the correct shared secret.  So that solves essentially all of the "fake packet" problems.

  For people trying username / password combinations, there isn't a lot you can do.  Any unauthenticated system can do 802.1X, or anything similar which "tries to login".  The NAS has to send such packets to the server.

  You can't ban the NAS, because it's a real RADIUS client used by good users.  You can't really ban the users based on multiple login attempts, because the names are used by "real" users, too.  You can't usually ban by MAC address, because the attackers can easily spoof that.

  So what are you trying to do?  Your question is rather  bit vague.

  What kind of traffic are you seeing?  What is common to the "bad" traffic, which you don't see in the "good" traffic?

  Alan DeKok.
"

True, definitely not anything of that ilk. 

I guess what I mean is for example, just combing through the logs of the soon to be retired server and I see one IP in particular that has made failed auth requests 1.9mil times since Jun 2022. That IP is not one of ours and it just seems to me reckless to allow that to happen unchecked. 

I wanted to check if freeradius had some form of limiting/banning built in that I just didn't understand before trying to make something like fail2ban work. 

I've only used f2b for ssh monitoring which uses already established filters to comb the logs looking for the failed attempts, and the logs for radius I think will be easy enough for a filter, I didn't want to reinvent the wheel if there was already a good method available. 

My apologies again if faking a reply causes issues with the original thread. 

Brantley Padgett 

The question is not how far. The question is, 
do you possess the constitution, 
the depth of faith, to go as far as is needed? 
            -Boondock Saints


More information about the Freeradius-Users mailing list