So, I came across this blog and set my systems as per following:
Modify fail2ban config:
vi /etc/fail2ban/fail2ban.confMake sure
log level = 3 logtarget = /var/log/fail2ban.logModify Logrotate config:
vi /etc/logrotate.d/fail2banMake sure
notifempty monthly rotate 13 missingok postrotate fail2ban-client set logtarget /var/log/fail2ban.log >/dev/null endscript # If fail2ban runs as non-root it still needs to have write access # to logfiles. # create 640 fail2ban adm create 640 root admAdd Repeat Offender rule:
vi /etc/fail2ban/jail.localAdd the following to the bottom of the line. This sets any IP that has been failing 10 times for a period of 365 days will be banned forever
#
# Repeated Offender to be banned forever
# if has been baned 10 times for 1 year
#
[repeatoffender]
enabled = true
filter = repeatoffender
action = repeatoffender[name=repeatoffender]
sendmail-whois[name=Repeat-Offender, dest=me@domain.me, sender=fail2ban@domain.me]
logpath = /var/log/fail2ban*
maxretry = 10
findtime = 31536000
bantime = -1
Create fail2ban Filter:vi /etc/fail2ban/filter.d/repeatoffender.confAdd the following to the file:
# Fail2ban configuration file # this filter monitors the fail2ban log file and permanently bans the IP # # only works with iptables [Definition] _jailname = repeatoffender failregex = fail2ban.actions:\s+WARNING\s+\[(?:.*)\]\s+Ban\s+Create fail2ban Action:ignoreregex = fail2ban.actions:\s+WARNING\s+\[%(_jailname)s\]+Ban\s+
vi /etc/fail2ban/action.d/repeatoffender.confAdd the following to the file:
# Fail2Ban configuration File # # [INCLUDES] before = iptables-blocktype.conf [Definition] # Option: actionstart # Notes.: command executed once at the start of fail2ban # Values: CMD actionstart = iptables -N fail2ban-that's it. to check the iptables, to show which IP is blocked there, just run:iptables -A fail2ban- -j RETURN iptables -I -p -j fail2ban- # Establish chain and blocks for saved IPs iptables -N fail2ban-ip-blocklist iptables -A fail2ban-ip-blocklist -j RETURN iptables -I -p -j fail2ban-ip-blocklist cat /etc/fail2ban/ip.blocklist. |grep -v ^\s*#|awk '{print $1}' | while read IP; do iptables -I fail2ban-ip-blocklist 1 -s $IP -j REJECT --reject-with icmp-port-unreachable; done # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # actionstop = iptables -D -p -j fail2ban- iptables -F fail2ban- iptables -X fail2ban- # Remove chain and blocks for saved IPs to prevent duplicates on service restart iptables -D -p -j fail2ban-ip-blocklist iptables -F fail2ban-ip-blocklist iptables -X fail2ban-ip-blocklist # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # actioncheck = iptables -n -L | grep -q 'fail2ban- [ \t]' # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionban = VERIFY=" *" ADD=" # fail2ban/$( date '+%%Y-%%m-%%d %%T' ): Perma-Banned" FILE=/etc/fail2ban/ip.blocklist. grep -q "$VERIFY" "$FILE" || iptables -I fail2ban- 1 -s -j DROP grep -q "$VERIFY" "$FILE" || echo "$ADD" >> "$FILE" # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionunban = # Do nothing becasuse their IP is in the blocklist file # To manually unban from the ip blocklist file run this command: # Be warned that if the ip is in log rotated files it must be whitelisted # # sed -i '/^ /d' /etc/fail2ban/ip.blocklist.repeatoffender # [Init] # Default name of the chain # name = default # Option: protocol # Notes.: internally used by config reader for interpolations. # Values: [ tcp | udp | icmp | all ] Default: tcp # protocol = tcp # Option: chain # Notes specifies the iptables chain to which the fail2ban rules should be # added # Values: STRING Default: INPUT chain = INPUT
iptables -L -n
