The opposite of fail2ban would probably be called auth2allow (authenticate to allow) or fail2allow – but that’s not necessary because fail2ban’s configs can be customized to do exactly what I’m talking about. What am I talking about you ask? Basically what I’ve done and am about to explain how to do is setup fail2ban to look for a successful login on a FTP to allow the authenticated IP to get access to another port that isn’t as secure as FTP so is usually 100% black listed in IPTables. It’s just a hack of a security mechanism to allow your self or others into places securely through obscure means. Like most security it’s not perfect but it seems pretty solid in my mind.
If someone can authenticate on the FTP (could even be anonymous ftp, but I’d recommend using a special username you want to specifically grant access) then fail2ban triggers an ALLOW command for their IP on some port (or all ports), for example SSH (22) or apache https (443) with a private site on it that you want to keep private and totally hidden from the internet at large. This concept could really apply to anything. Any command IPTables can run can be triggered through something fail2ban sees in a log file basically, the possibilities are endless. In my example I’ll use https, port 443, but in real life I’m using an obscure port number and the program running on it that is not very secure by default.
So here are my slightly modified configuration files for setting up a custom fail2ban service that does the opposite of what fail2ban typically does.
Basic SABnzbd+ Setup – SAB for short.
There are plenty of tutorials out there which cover configuring a normal SAB installation so I won’t cover that here. What I am going to do is make my SAB available through a web accessible passworded page, this can be accomplished with default SAB features by putting a web username/password in the general configuration section. However I find it annoying to have to enter the password when I’m on my internal 192.168 home network just to make it protected from the outside, and I don’t like the way it presents the username/password prompt in a website form rather than an generic apache pop-up. I’m sure open accessibility could be fixed in the SABnzbd+ code but I’m not a pro python hacker yet so I’ll just stick to what I know.
Basically I want a generic pop-up password that is only for people outside my network so I’m not bothered with SAB passwords while at home (And I can’t get nzbdStatus to work with a pass enabled). The htpasswd also acts as a bit of camouflage and additional security. There are some concepts which aren’t covered here which are required, you need to know how to configure your own SAB servers, Portforwarding or Firewall/iptables.
If you’re using a router, you’re going to want to make sure you’re not port forwarding the default SAB port of 8080 (which would make it wide open) and only are forwarding the apache2 port you setup for the SAB proxy. If you’re not on an internal IP subnet and have a static IP assigned directly to the linux machine you’re doing this on then I expect you have enough knowledge of IPTables to block the SAB port and allow the proxy port.