The Infinite Monkey Theorem is a thought experiment stating that; a monkey hitting keys randomly on a typewriter for an infinite amount of time would eventually type any given text, like Shakespeare’s complete works, because all possibilities will occur given enough chances.
In my logs, I often find the same hosts probing my doors, despite efforts to block them using sensible ban times, (bantime) and allowed retries, (maxretry):
A short ban time and a few retries will take care of some script kiddies, but servers scratching my doors indefinitely, will eventually get lucky.
# /etc/feil2ban/jail.local
..
[sshd]
#Sensible limits for blocking the most obvious attempts to break in, accounting for some human mistakes.
enabled = true
findtime = 1h
bantime = 30m
maxretry = 5
filter = sshd
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
To mitigate this issue, without banning legitimate users making human mistakes, I’ve set up Fail2ban with 2 different jails and matching filters. The normal default jail takes care of manual probing, without banning unlucky human errors:
To counter script kiddies starting a new probe just minutes after the expired ban time, I’ve set up an identical filter, by copying the default filter into a new filter definition:
root@myhost:~# cp /etc/fail2ban/filter.d/sshd.conf /etc/fail2ban/filter.d/sshd-persistent.confThen crate a new jail in /etc/fail2ban/jail.local:
# /etc/feil2ban/jail.local
..
[sshd-persistent]
#Aggressive ban time and retries for blocking hosts that can't seem to stay away
#mode = normal
enabled = true
findtime = 14d
bantime = 7d
maxretry = 7
filter = sshd-persistent
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)sNB! I have chosen two different filters in two separate files because I want the ability to apply slightly different filters. By specifying the same filter in both jails, any filter change will affect both jails using the same filter:
# /etc/feil2ban/jail.local
..
[sshd]
#Normal jail for short ban time
enabled = true
findtime = 60m
bantime = 30m
maxretry = 6
filter = sshd
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
..
[sshd-persistent]
#Aggressive ban time and retries for blocking hosts that can't seem to stay away
#mode = normal
enabled = true
findtime = 14d
bantime = 7d
maxretry = 7
filter = sshd
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)sIt’s even possible to set an infinite ban, by providing a value of «-1» for the ban time:
# /etc/feil2ban/jail.local
..
# Sorry Mack..! :-P
bantime = -1
# maybe give them 11 tries?
maxretry = 11Please make sure that at least one IP address for a host you can ssh out of is whitelisted in the [DEFAULT] section of /etc/fail2ban/jail.local before testing this…!
# /etc/feil2ban/jail.local
..
[DEAFAULT]
..
ignoreip = 127.0.0.1/8 ::1 <your IP address>
Legg igjen en kommentar