Menu
What's new
By:
Filters Better Search

fail2ban / SSHGuard on computer -> send to iptables on router?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Schuby

Schuby

Occasional Visitor
Ok bear with me here and I'll explain what I'm trying to do.

I have a FreeNAS server setup that currently hosts a website that has a port forward rule on my router. I wanted to install fail2ban or SSHGuard in a seperate jailed environment and have it monitor each of my jail's connections (this can be done via mounting syslogs and whatnot, but I won't get into that).

What I'm hoping I can do is have that fail2ban (or SSHGuard) installation in my jailed environment send the block commands to my router (maybe using iptables?). That way the router is the one blocking the connections and not the jail itself.

Hopefully that makes sense, but I wanted to see if anyone had a similar configuration or experience running something like this.

The closest thing I found was this:

https://sourceforge.net/p/fail2ban/mailman/message/25619733/

But I'm having a hard time understanding how they accomplished it (or if it even worked).

Thoughts?
 
Schuby said:
Ok bear with me here and I'll explain what I'm trying to do.
Click to expand...

Ok I did - now I'll ask the question why?

Security is best when it is simple - think about what you are doing... you want Fail2Ban running on your NAS, with all your files/etc... even though you might be trying to run things in a jail, you really shouldn't be, at least not in this application..

Why are you doing this?
 
sfx2000 said:
Ok I did - now I'll ask the question why?

Security is best when it is simple - think about what you are doing... you want Fail2Ban running on your NAS, with all your files/etc... even though you might be trying to run things in a jail, you really shouldn't be, at least not in this application..

Why are you doing this?
Click to expand...

I have about ten jails, each running a different service. Unfortunately you cannot modify the base of FreeNAS (well, you can, but it is not supported and can break things). I wanted to setup fail2ban to monitor the logs of each service and ban the offending IPs at the router level. If I could just install fail2ban onto the FreeNAS root, I would.

What other methods can I try?
 
You missed the important part of my post - why?

Actually I'll ask why you're running 10 jails on your filer (FreeNAS) with all of your important files/media/etc...

Security is always best when it is simple - what you are doing is not simple.. my advice - just don't...

Jails are nice and secure until they're not - but then it begs the question? What happens when one of them isn't 'right' and lets someone in... do you understand the context of what you're doing already, and trying to do?

Just because you can, does it mean you should?
 
In other words - I'm not going to help you shoot yourself in the foot...
 
sfx2000 said:
You missed the important part of my post - why?

Actually I'll ask why you're running 10 jails on your filer (FreeNAS) with all of your important files/media/etc...

Security is always best when it is simple - what you are doing is not simple.. my advice - just don't...

Jails are nice and secure until they're not - but then it begs the question? What happens when one of them isn't 'right' and lets someone in... do you understand the context of what you're doing already, and trying to do?

Just because you can, does it mean you should?
Click to expand...

I understand what you are saying. I don't have any sensitive files on my FreeNAS box. This is more for a fun project with the side benefit of possibly hardening the network.

No worries. I appreciate the warning and will look at other simpler options that might be beneficial.
 
You must log in or register to reply here.

Similar threads

T
Open ports on WAN for service running on the router
Replies
8
Views
154
ColinTaylor
C
William Higgs
Ssh to router logging in as wrong user?
Replies
3
Views
184
dave14305
dave14305
PaulA
Port isolation on RT-AX88U-Pro (router) w/ Merlin w/ Tagged internet ISP
Replies
1
Views
444
PaulA
PaulA
C
IPv4 Firewall/Port-Forwarding - Appear to be the same thing on Asuswrt
Replies
4
Views
851
chrisisbd
C
H
Does VPN Director Use Routes or IPTables Rules To Route Clients Over a VPN Connection?
Replies
5
Views
645
HarryMuscle
H
Similar threads
Thread starter Title Forum Replies Date
J Understanding router access via computer Asuswrt-Merlin 8

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 690 (members: 28, guests: 662)
Top