software:linux:fail2ban
Table of Contents
fail2ban
fail2ban is a great software that ban ips failing auth.
Permanent ban
Unfortunately it doesn't provide an official way to make a permanent ban when some ip insist to fail, even after the gracefully period. Surfing I found this solution, anyway it doesn't works because there are many errors in the configs, following you can find my fixed configurations.
/etc/fail2ban/jail.conf
APPEND AT THE VERY BOTTOM!
[repeatoffender] enabled = true filter = repeatoffender action = repeatoffender[name=repeatoffender] sendmail-whois[name=Repeat-Offender, dest=destmailforpermanentban@domain.com, sender=fail2ban@domain.com] logpath = /var/log/fail2ban.log maxretry = 10 findtime = 31536000 bantime = -1
/etc/fail2ban/action.d/repeatoffender.conf
# Fail2Ban configuration file # # Author: Michele Porelli # [INCLUDES] before = iptables-blocktype.conf [Init] # Default name of the chain # name = repeatoffender name_permanent = ip-blocklist # Option: protocol # Notes.: internally used by config reader for interpolations. # Values: [ tcp | udp | icmp | all ] Default: all # protocol = all # Option: chain # Notes specifies the iptables chain to which the fail2ban rules should be # added # Values: STRING Default: <chain> chain = INPUT [Definition] # Option: actionstart # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # actionstart = iptables -N fail2ban-<name> iptables -A fail2ban-<name> -j RETURN iptables -I <chain> -p <protocol> -j fail2ban-<name> # Establish chain and blocks for saved IPs iptables -N fail2ban-<name_permanent> iptables -A fail2ban-<name_permanent> -j RETURN iptables -I <chain> -p <protocol> -j fail2ban-<name_permanent> cat /etc/fail2ban/ip.blocklist.<name> |grep -v ^s*#|awk '{print $1}' | while read IP; do iptables -I fail2ban-<name_permanent> 1 -s $IP -j REJECT --reject-with icmp-port-unreachable; done # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name> iptables -F fail2ban-<name> iptables -X fail2ban-<name> # Remove chain and blocks for saved IPs to prevent duplicates on service restart iptables -D <chain> -p <protocol> -j fail2ban-<name_permanent> iptables -F fail2ban-<name_permanent> iptables -X fail2ban-<name_permanent> # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # actioncheck = iptables -n -L | grep -q 'fail2ban-<name>' # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionban = VERIFY="<ip>" ADD="<ip> # fail2ban/$( date '+%%Y-%%m-%%d %%T' ): Perma-Banned" FILE=/etc/fail2ban/ip.blocklist.<name> grep -q "$VERIFY" "$FILE" || iptables -I fail2ban-<name> 1 -s <ip> -j REJECT --reject-with icmp-port-unreachable grep -q "$VERIFY" "$FILE" || echo "$ADD" >> "$FILE" # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionunban = # Do nothing because their IP is in the blocklist file # To manually unban from the ip blocklist file run this command: # Be warned that if the ip is in log rotated files it must be whitelisted # # sed -i '/^/d' /etc/fail2ban/ip.blocklist.<name>
/etc/fail2ban/filter.d/repeatoffender.conf
# Fail2Ban configuration file # # Author: Michele Porelli # # This filter monitors the fail2ban log file, and permanently # bans the ip addresses of persistent attackers. # # As of this version this ban only works with iptables. # [Definition] _jailname = repeatoffender failregex = fail2ban.actions:\sWARNING\s.*\sBan <HOST> ignoreregex = fail2ban.actions:\sWARNING\s[%(_jailname)s]\sBan <HOST>
OpenVPN
/etc/fail2ban/filter.d/openvpn.conf
[Definition] failregex = failregex = .* ovpn-.* <HOST> Connection reset, restarting \[[0-9-]{1,2}\] ignoreregex =
/etc/fail2ban/jail.conf
[openvpn-tcp] enabled = true port = 1194 protocol = tcp filter = openvpn action = iptables[name=%(__name__)s, port=%(port)s, protocol=%(protocol)s] logpath = /var/log/syslog maxretry = 3 [openvpn-udp] enabled = true port = 1194 protocol = udp filter = openvpn action = iptables[name=%(__name__)s, port=%(port)s, protocol=%(protocol)s] logpath = /var/log/syslog maxretry = 3
software/linux/fail2ban.txt · Last modified: 2015/01/09 10:22 by Michele Porelli