Friday, December 25, 2015

Fail2ban BAN-Forever!

OK, enough is enough. As per my previous blog about setting up fail2ban, there was this one persistent idiot who kept trying to break in my network. Due to fail2ban default setting, which un-bans previously banned IP, he could keep trying and trying and trying...

So, I came across this blog and set my systems as per following:

Modify fail2ban config:

vi /etc/fail2ban/fail2ban.conf
Make sure

log level = 3
logtarget = /var/log/fail2ban.log
Modify Logrotate config:

vi /etc/logrotate.d/fail2ban
Make sure

notifempty
monthly
rotate 13
missingok
postrotate
fail2ban-client set logtarget /var/log/fail2ban.log >/dev/null
endscript
# If fail2ban runs as non-root it still needs to have write access
# to logfiles.
# create 640 fail2ban adm
create 640 root adm
Add Repeat Offender rule:

vi /etc/fail2ban/jail.local
Add the following to the bottom of the line. This sets any IP that has been failing 10 times for a period of 365 days will be banned forever

#
# Repeated Offender to be banned forever
# if has been baned 10 times for 1 year
#
[repeatoffender]

enabled  = true
filter   = repeatoffender
action   = repeatoffender[name=repeatoffender]
           sendmail-whois[name=Repeat-Offender, dest=me@domain.me, sender=fail2ban@domain.me]
logpath  = /var/log/fail2ban*
maxretry = 10
findtime = 31536000
bantime  = -1
Create fail2ban Filter:

vi /etc/fail2ban/filter.d/repeatoffender.conf
Add the following to the file:

# Fail2ban configuration file
# this filter monitors the fail2ban log file and permanently bans the IP
#
# only works with iptables

[Definition]
_jailname = repeatoffender
failregex = fail2ban.actions:\s+WARNING\s+\[(?:.*)\]\s+Ban\s+
ignoreregex = fail2ban.actions:\s+WARNING\s+\[%(_jailname)s\]+Ban\s+
Create fail2ban Action:

vi /etc/fail2ban/action.d/repeatoffender.conf
Add the following to the file:

# Fail2Ban configuration File
#
#

[INCLUDES]

before = iptables-blocktype.conf

[Definition]

# Option: actionstart
# Notes.: command executed once at the start of fail2ban
# Values: CMD

actionstart = iptables -N fail2ban-
              iptables -A fail2ban- -j RETURN
              iptables -I  -p  -j fail2ban-
              # Establish chain and blocks for saved IPs
              iptables -N fail2ban-ip-blocklist
              iptables -A fail2ban-ip-blocklist -j RETURN
              iptables -I  -p  -j fail2ban-ip-blocklist 
              cat /etc/fail2ban/ip.blocklist. |grep -v ^\s*#|awk '{print $1}' | while read IP; do iptables -I fail2ban-ip-blocklist 1 -s $IP -j REJECT --reject-with icmp-port-unreachable; done

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = iptables -D  -p  -j fail2ban-
             iptables -F fail2ban-
             iptables -X fail2ban-
             # Remove chain and blocks for saved IPs to prevent duplicates on service restart
             iptables -D  -p  -j fail2ban-ip-blocklist
             iptables -F fail2ban-ip-blocklist
             iptables -X fail2ban-ip-blocklist

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = iptables -n -L  | grep -q 'fail2ban-[ \t]'

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = VERIFY="*"
            ADD="        # fail2ban/$( date '+%%Y-%%m-%%d %%T' ): Perma-Banned"
            FILE=/etc/fail2ban/ip.blocklist.
            grep -q "$VERIFY" "$FILE" || iptables -I fail2ban-  1 -s  -j DROP
            grep -q "$VERIFY" "$FILE" || echo "$ADD" >> "$FILE"

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionunban = # Do nothing becasuse their IP is in the blocklist file

# To manually unban from the ip blocklist file run this command:
# Be warned that if the ip is in log rotated files it must be whitelisted
#
# sed -i '/^/d' /etc/fail2ban/ip.blocklist.repeatoffender
#

[Init]

# Default name of the chain
#
name = default

# Option:  protocol
# Notes.:  internally used by config reader for interpolations.
# Values:  [ tcp | udp | icmp | all ] Default: tcp
#
protocol = tcp

# Option:  chain
# Notes    specifies the iptables chain to which the fail2ban rules should be
#          added
# Values:  STRING  Default: INPUT
chain = INPUT
that's it. to check the iptables, to show which IP is blocked there, just run:

iptables -L -n