fail2ban

dinosore · May 9, 2018, 9:55am

Is there any point in using fail2ban on syncthing ports?

Has anybody done it?

canton7 · May 9, 2018, 10:08am

What would you be trying to achieve?

Fail2ban is normally used to prevent brute-force attacks on passwords, and that sort of thing. What are you trying to prevent?

calmh · May 9, 2018, 10:09am

I guess it could be used to block brute force attacks on the web UI, if that’s a thing you’re worried about.

canton7 · May 9, 2018, 10:09am

You’d need to be smart though, as the UI makes lots of valid http requests

calmh · May 9, 2018, 10:12am

You’d need an adapter to grab the “login failed” events and make them into some log consumable by fail2ban, probably.

I’d just pick a non-brute-forceable password and be done with it.

canton7 · May 9, 2018, 10:16am

If you enable whatever needs to be enabled to log the “login failed” event to stdout, fail2ban has the tools necessary to parse that out efficiently, true.

dinosore · May 9, 2018, 11:27am

I’m setting up a virtual webserver on linode with passwords disabled on ssh, only public key. I was getting quite a few login attempts, some cycling through common account names.

So, I installed fail2ban with ssh jail to disable repeated attempts a bit quickeer.

I’m not thinking about st web ui - port 8384 will still be blocked when st is installed with access over ssh as per docs.

As st is the only thing listening on the st ports, is it up to st to handle rogue attacks, or could it do with a bit of help at the iptables level?

canton7 · May 9, 2018, 11:36am

How would you distinguish a “rogue” connection to Syncthing’s sync port, vs an actual one?

dinosore · May 9, 2018, 12:51pm

I don’t know. Obviously st does.

I presume st drops rogue connections asap, but I don’t know if it does anything else?

It probably doesn’t remember the rogue ip address or report back to the os, but it might log some message which might be parsed by fail2ban.

There might be multi-lingual considerations.

calmh · May 9, 2018, 12:58pm

There should be no advantage of having something like fail2ban protect the sync port. If there were, we should implement it internally.

dinosore · May 15, 2018, 5:13pm

Since changing to a non-standard, fail2ban hasn’t needed to do anything.

dinosore · May 15, 2018, 10:00pm

Sorry, last post didn’t make sense and couldn’t seem to edit it

system · June 14, 2018, 10:00pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.