[sslh] fail2ban

[Yves (theYinYeti)]

Le 14/02/2012 10:40, Yves Rutschle a écrit :
> Hi Yves,
>
> On Tue, Feb 14, 2012 at 09:58:58AM +0100, Yves (theYinYeti) wrote:
>> I tried finding on Google, but couldn't, how fail2ban can be
>> configured to work with sslh.
>> I'd like, that SSH and HTTPS connections through sslh seem to come
>> from where they should, and not from 127.0.0.1.
>> Is it possible?
>
> This has been discussed already but there is currently no
> solution. Basically it's not possible to have the source
> addresses in sshd and httpd.
>
> I haven't tried it, but I think it should be possible to run
> fail2ban directly on the sslh log:
>
> Jan 10 10:11:07 thelonious sslh[23183]: connection from 84.14.115.254:36373 to 192.168.0.250:443 forwarded to 127.0.0.1:22
>
> This is enough to see there is connection from 84.14.115.254
> to ssh. Basically it's not quite normal to see many ssh
> connection from the same IP address, so you should be able
> to make a rule to ban the source IP after "some"
> connections.
>
> This would cause a problem if you have many users connecting
> to sslh from the same IP address, but I don't think that's a
> common use case.
>
> Please let me know if you get something working, as I'd like
> to add a solution to the Web site.
>
> Cheers,
> Y.

Thank you. I’ll let you know if I find a solution.

To be honnest though, I may decide to rather use l7-filter (or opendpi, 
whichever takes less ressources), although I suspect it may be too much of a 
burden for my SheevaPlug :-(

I’ve also read a hint, that iptables might be able to “tag” packets coming to 
SSLH (eth), and later (lo) use the tag somehow… But I fear it’ll fly high over 
my head :D

Within my abilities, I’m also thinking of creating shell scripts to kind of 
merge SSH and SSLH logs into a single log aimed at fail2ban, and the same for 
Apache.

Yves.