Friday, December 25, 2015

Fail2ban BAN-Forever!

OK, enough is enough. As per my previous blog about setting up fail2ban, there was this one persistent idiot who kept trying to break in my network. Due to fail2ban default setting, which un-bans previously banned IP, he could keep trying and trying and trying...

So, I came across this blog and set my systems as per following:

Modify fail2ban config:

vi /etc/fail2ban/fail2ban.conf
Make sure

log level = 3
logtarget = /var/log/fail2ban.log
Modify Logrotate config:

vi /etc/logrotate.d/fail2ban
Make sure

rotate 13
fail2ban-client set logtarget /var/log/fail2ban.log >/dev/null
# If fail2ban runs as non-root it still needs to have write access
# to logfiles.
# create 640 fail2ban adm
create 640 root adm
Add Repeat Offender rule:

vi /etc/fail2ban/jail.local
Add the following to the bottom of the line. This sets any IP that has been failing 10 times for a period of 365 days will be banned forever

# Repeated Offender to be banned forever
# if has been baned 10 times for 1 year

enabled  = true
filter   = repeatoffender
action   = repeatoffender[name=repeatoffender]
logpath  = /var/log/fail2ban*
maxretry = 10
findtime = 31536000
bantime  = -1
Create fail2ban Filter:

vi /etc/fail2ban/filter.d/repeatoffender.conf
Add the following to the file:

# Fail2ban configuration file
# this filter monitors the fail2ban log file and permanently bans the IP
# only works with iptables

_jailname = repeatoffender
failregex = fail2ban.actions:\s+WARNING\s+\[(?:.*)\]\s+Ban\s+
ignoreregex = fail2ban.actions:\s+WARNING\s+\[%(_jailname)s\]+Ban\s+
Create fail2ban Action:

vi /etc/fail2ban/action.d/repeatoffender.conf
Add the following to the file:

# Fail2Ban configuration File


before = iptables-blocktype.conf


# Option: actionstart
# Notes.: command executed once at the start of fail2ban
# Values: CMD

actionstart = iptables -N fail2ban-
              iptables -A fail2ban- -j RETURN
              iptables -I  -p  -j fail2ban-
              # Establish chain and blocks for saved IPs
              iptables -N fail2ban-ip-blocklist
              iptables -A fail2ban-ip-blocklist -j RETURN
              iptables -I  -p  -j fail2ban-ip-blocklist 
              cat /etc/fail2ban/ip.blocklist. |grep -v ^\s*#|awk '{print $1}' | while read IP; do iptables -I fail2ban-ip-blocklist 1 -s $IP -j REJECT --reject-with icmp-port-unreachable; done

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
actionstop = iptables -D  -p  -j fail2ban-
             iptables -F fail2ban-
             iptables -X fail2ban-
             # Remove chain and blocks for saved IPs to prevent duplicates on service restart
             iptables -D  -p  -j fail2ban-ip-blocklist
             iptables -F fail2ban-ip-blocklist
             iptables -X fail2ban-ip-blocklist

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
actioncheck = iptables -n -L  | grep -q 'fail2ban-[ \t]'

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
actionban = VERIFY="*"
            ADD="        # fail2ban/$( date '+%%Y-%%m-%%d %%T' ): Perma-Banned"
            grep -q "$VERIFY" "$FILE" || iptables -I fail2ban-  1 -s  -j DROP
            grep -q "$VERIFY" "$FILE" || echo "$ADD" >> "$FILE"

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
actionunban = # Do nothing becasuse their IP is in the blocklist file

# To manually unban from the ip blocklist file run this command:
# Be warned that if the ip is in log rotated files it must be whitelisted
# sed -i '/^/d' /etc/fail2ban/ip.blocklist.repeatoffender


# Default name of the chain
name = default

# Option:  protocol
# Notes.:  internally used by config reader for interpolations.
# Values:  [ tcp | udp | icmp | all ] Default: tcp
protocol = tcp

# Option:  chain
# Notes    specifies the iptables chain to which the fail2ban rules should be
#          added
# Values:  STRING  Default: INPUT
chain = INPUT
that's it. to check the iptables, to show which IP is blocked there, just run:

iptables -L -n

No comments: