fail2ban


(David Rimmer) #1

Is there any point in using fail2ban on syncthing ports?

Has anybody done it?


(Antony Male) #2

What would you be trying to achieve?

Fail2ban is normally used to prevent brute-force attacks on passwords, and that sort of thing. What are you trying to prevent?


(Jakob Borg) #3

I guess it could be used to block brute force attacks on the web UI, if that’s a thing you’re worried about.


(Antony Male) #4

You’d need to be smart though, as the UI makes lots of valid http requests


(Jakob Borg) #5

You’d need an adapter to grab the “login failed” events and make them into some log consumable by fail2ban, probably.

I’d just pick a non-brute-forceable password and be done with it.


(Antony Male) #6

If you enable whatever needs to be enabled to log the “login failed” event to stdout, fail2ban has the tools necessary to parse that out efficiently, true.


(David Rimmer) #7

I’m setting up a virtual webserver on linode with passwords disabled on ssh, only public key. I was getting quite a few login attempts, some cycling through common account names.

So, I installed fail2ban with ssh jail to disable repeated attempts a bit quickeer.

I’m not thinking about st web ui - port 8384 will still be blocked when st is installed with access over ssh as per docs.

As st is the only thing listening on the st ports, is it up to st to handle rogue attacks, or could it do with a bit of help at the iptables level?


(Antony Male) #8

How would you distinguish a “rogue” connection to Syncthing’s sync port, vs an actual one?


(David Rimmer) #9

I don’t know. Obviously st does.

I presume st drops rogue connections asap, but I don’t know if it does anything else?

It probably doesn’t remember the rogue ip address or report back to the os, but it might log some message which might be parsed by fail2ban.

There might be multi-lingual considerations.


(Jakob Borg) #10

There should be no advantage of having something like fail2ban protect the sync port. If there were, we should implement it internally.


(David Rimmer) #11

Since changing to a non-standard, fail2ban hasn’t needed to do anything.


(David Rimmer) #12

Sorry, last post didn’t make sense and couldn’t seem to edit it