mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 14:20:40 +01:00
Expand fail2ban documenation in the blacklisting article
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
fb14b0aafc
commit
3f5c47695e
@ -298,7 +298,7 @@ DROP net:200.55.14.18 all
|
||||
details.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="fail2ban">
|
||||
<title>BLACKLIST and Fail2ban</title>
|
||||
|
||||
<para>The BLACKLIST command can be used as 'blocktype' in
|
||||
@ -335,5 +335,31 @@ DROP net:200.55.14.18 all
|
||||
comand.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>There are a couple of additional things to note:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>The documentation in /etc/fail2ban/action.d/shorewall.conf
|
||||
states that you should set BLACKLIST=All. A better approach when using
|
||||
BLACKLIST as the 'blocktype' is to specify the <emphasis
|
||||
role="bold">disconnect</emphasis> option in the setting of
|
||||
DYNAMIC_BLACKLIST. With BLACKLIST=All, every packet entering the
|
||||
firewall from the net must be checked against the dynamic-blacklisting
|
||||
ipset. That is not required when you specify <emphasis
|
||||
role="bold">disconnect</emphasis>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The <emphasis role="bold">noupdate</emphasis> option allows
|
||||
fail2ban full control when a host is 'unbanned'. The cost of using
|
||||
this option is that after the specified <emphasis
|
||||
role="bold">timeout</emphasis>, the entry for an attacking host will
|
||||
be removed from the dynamic-blacklisting ipset, even if the host has
|
||||
continued the attack while blacklisted. This isn't a great concern, as
|
||||
the first attempt to access an unauthorized service will result in the
|
||||
host being re-blacklisted.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
</article>
|
||||
|
Loading…
Reference in New Issue
Block a user