[EXTERNAL] Re: fail2ban or similar concept

Fri Sep 2 07:55:30 UTC 2022

+1 on private networks here but….

Why not positively firewall them and drop the other noise in the kernel (or do this step upstream as an ACL on router / firewall whatever makes most sense). If I ‘had’ to do it this way, then….. I’d create an nftables config containing something like….

#!/usr/sbin/nft -f

flush ruleset
table inet filter {
                include “/etc/nftables.include/radiusclientips.nft”
                chain filter {
                                type filter hook input priority 0;
                                udp saddr @radiusclientips dport { 1812, 1813 } accept
                                udp dport {1812,1813} counter drop
                                …
                                …
                }
}

Then in the include you do…

set radiusclientips {
        type ipv4_addr
        flags interval
        elements = {
1.2.3.4/32,
4.5.6.7/32,
10.0.0.0/24,
….
}
}

Quite easy to create this include ‘from’ the clients file / database / whatever and indeed if you are feeling like doing a little more work you don’t have to ‘reload’ the whole config to update the set they can be dynamically updated.

(No, I haven’t tested the config but you get the idea).

No more noise and at least the number of source IP’s that can get to your server is limited to those that should be talking RADIUS.

A.

From: Freeradius-Users <freeradius-users-bounces+alister.winfield=sky.uk at lists.freeradius.org> on behalf of Brantley Padgett via Freeradius-Users <freeradius-users at lists.freeradius.org>
Date: Friday, 2 September 2022 at 04:40
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Cc: Brantley Padgett <brantleyp1 at yahoo.com>
Subject: [EXTERNAL] Re: fail2ban or similar concept
Figured out how to turn off digest! whoohoo!!

> No, because you don't expose your RADIUS server to the world.

That is outside my control. We have clients all over the country, most with no means to tunnel private IP space between, so the decision was made. Had I been there when that decision was made I would've raised a hand, or a couple of middle fingers.

> that's exactly what fail2ban is for

Understood, that's kinda what I suspected but just wanted to double check.

Thank you & Alan for the pointers.

Brantley Padgett

The question is not how far. The question is,
do you possess the constitution,
the depth of faith, to go as far as is needed?
            -Boondock Saints

On Thursday, September 1, 2022, 10:31:42 PM CDT, Matthew Newton <mcn at freeradius.org> wrote:

On 02/09/2022 04:20, Brantley Padgett via Freeradius-Users wrote:
> I guess what I mean is for example, just combing through the logs of the soon to be retired server and I see one IP in particular that has made failed auth requests 1.9mil times since Jun 2022. That IP is not one of ours and it just seems to me reckless to allow that to happen unchecked.

Which is why you run RADIUS servers on internal back-end networks that
are not publicly available.

Don't permit IPs that are not yours from having access to the RADIUS
server in the first place.

> I wanted to check if freeradius had some form of limiting/banning built in that I just didn't understand before trying to make something like fail2ban work.

No, because you don't expose your RADIUS server to the world.

But if you have logs identify IPs you want to block, that's exactly what
fail2ban is for - get it to add a firewall rule like you would do for
any other service. As Alan said, FreeRADIUS already ignores any unknown
clients anyway, so you'd just firewall out the noise.

--
Matthew
-
List info/subscribe/unsubscribe? See https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=05%7C01%7Calister.winfield%40sky.uk%7C34b1131d03b94b5b911a08da8c94dceb%7C68b865d5cf184b2b82a4a4eddb9c5237%7C0%7C0%7C637976868245932456%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=QjrG78gl%2FU1H734%2BVukssyQIjuOIO9gZd7z4bDH0Pfk%3D&reserved=0

-
List info/subscribe/unsubscribe? See https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=05%7C01%7Calister.winfield%40sky.uk%7C34b1131d03b94b5b911a08da8c94dceb%7C68b865d5cf184b2b82a4a4eddb9c5237%7C0%7C0%7C637976868245932456%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=QjrG78gl%2FU1H734%2BVukssyQIjuOIO9gZd7z4bDH0Pfk%3D&reserved=0
--------------------------------------------------------------------
This email is from an external source. Please do not open attachments or click links from an unknown or suspicious origin. Phishing attempts can be reported by using the report message button in Outlook or sending them as an attachment to phishing at sky.uk. Thank you
--------------------------------------------------------------------
Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of Sky Limited and Sky International AG and are used under licence.

Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075), Sky Subscribers Services Limited (Registration No. 2340150) and Sky CP Limited (Registration No. 9513259) are direct or indirect subsidiaries of Sky Limited (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD