Suggested fail2ban improvement.

Section with modification and patches for Vesta
plutocrat
Posts: 49
Joined: Fri Jan 27, 2017 9:16 am

Suggested fail2ban improvement.

Postby plutocrat » Wed May 03, 2017 8:29 am

Hi,
I've been running this fail2ban modification on most of my other servers, so I thought I'd see if I could get it to work on Vesta. Basically, the regular fail2ban rules ban IPs for a couple of hours and then in some cases the IP is unbanned and resumes its attack. This modification searches through the fail2ban log for IPs that are banned several times over a day, and then implements a longer ban -- a month! That should give them the message.

Here are the pieces of the puzzle.

File /etc/fail2ban/filter.d/repeat-offender.conf

Code: Select all

# Fail2Ban configuration file
# Notes.: Looking through /var/log/fail2ban.log for many occurences of Ban
[Definition]
failregex = fail2ban.actions.*:\s+NOTICE\s+\[(?:.*)\]\s+Ban\s+<HOST>
ignoreregex = fail2ban.actions.*:\s+NOTICE\s+\[repeat-offender\]\s+Ban\s+<HOST>


In /etc/fail2ban/jail.local, ideally at the TOP, under the DEFAULT section

Code: Select all

[repeat-iptables]
enabled  = true
filter   = repeat-offender
action = vesta-repeat[name=REPEAT]
logpath  = /var/log/fail2ban.log
# If 3 bans in 24 hours, ban for a month
bantime = 2592000
findtime = 86400
maxretry = 3


I first tried to run the action through the original /etc/fail2ban/action.d/vesta.conf but that caused an error as REPEAT wasn't defined in /usr/local/vesta/bin/v-add-firewall-chain and it needed a "port" argument. So I copied the action.d/vesta.conf to vesta-repeat.conf and edited it. (obviously this would be better done in v-add-firewall-chain)

Code: Select all

[Definition]
actionstart = /usr/local/vesta/bin/v-add-firewall-chain <name> 22,25,465,587,2525,110,995,143,993,8043,80
actionstop = /usr/local/vesta/bin/v-delete-firewall-chain <name>
actioncheck = iptables -n -L INPUT | grep -q 'fail2ban-<name>[ \t]'
actionban = /usr/local/vesta/bin/v-add-firewall-ban <ip> <name> 22,25,465,587,2525,110,995,143,993,8043,80
actionunban = /usr/local/vesta/bin/v-delete-firewall-ban <ip> <name>

If I was nervous, I might remove the 8043 port from that, just in case it bans my IP address, although its usually possible to change my IP address and unlock it from that. Ideally I'd block all ports, except 8043.

That's about it. Seems to work for me, and I already have a couple of IPs on the 'naughty' list.

Return to “Modification & Patches”



Who is online

Users browsing this forum: No registered users and 2 guests