(Dec 29) New version 0.9.8-18 has been released

Suggested fail2ban improvement.

Section with modification and patches for Vesta
Forum rules
Before creating a new topic or reply on the forum you should fill out additional fields "Os" and "Web" in your profile section.
In case of violation, the topic can be closed or response from the support will not be received.
Posts: 89
Joined: Fri Jan 27, 2017 9:16 am

Suggested fail2ban improvement.

Postby plutocrat » Wed May 03, 2017 8:29 am

I've been running this fail2ban modification on most of my other servers, so I thought I'd see if I could get it to work on Vesta. Basically, the regular fail2ban rules ban IPs for a couple of hours and then in some cases the IP is unbanned and resumes its attack. This modification searches through the fail2ban log for IPs that are banned several times over a day, and then implements a longer ban -- a month! That should give them the message.

Here are the pieces of the puzzle.

File /etc/fail2ban/filter.d/repeat-offender.conf

Code: Select all

# Fail2Ban configuration file
# Notes.: Looking through /var/log/fail2ban.log for many occurences of Ban
failregex = fail2ban.actions.*:\s+NOTICE\s+\[(?:.*)\]\s+Ban\s+<HOST>
ignoreregex = fail2ban.actions.*:\s+NOTICE\s+\[repeat-offender\]\s+Ban\s+<HOST>

In /etc/fail2ban/jail.local, ideally at the TOP, under the DEFAULT section

Code: Select all

enabled  = true
filter   = repeat-offender
action = vesta-repeat[name=REPEAT]
logpath  = /var/log/fail2ban.log
# If 3 bans in 24 hours, ban for a month
bantime = 2592000
findtime = 86400
maxretry = 3

I first tried to run the action through the original /etc/fail2ban/action.d/vesta.conf but that caused an error as REPEAT wasn't defined in /usr/local/vesta/bin/v-add-firewall-chain and it needed a "port" argument. So I copied the action.d/vesta.conf to vesta-repeat.conf and edited it. (obviously this would be better done in v-add-firewall-chain)

Code: Select all

actionstart = /usr/local/vesta/bin/v-add-firewall-chain <name> 22,25,465,587,2525,110,995,143,993,8043,80
actionstop = /usr/local/vesta/bin/v-delete-firewall-chain <name>
actioncheck = iptables -n -L INPUT | grep -q 'fail2ban-<name>[ \t]'
actionban = /usr/local/vesta/bin/v-add-firewall-ban <ip> <name> 22,25,465,587,2525,110,995,143,993,8043,80
actionunban = /usr/local/vesta/bin/v-delete-firewall-ban <ip> <name>

If I was nervous, I might remove the 8043 port from that, just in case it bans my IP address, although its usually possible to change my IP address and unlock it from that. Ideally I'd block all ports, except 8043.

That's about it. Seems to work for me, and I already have a couple of IPs on the 'naughty' list.

Posts: 9
Joined: Fri Jan 05, 2018 3:03 pm

Os: Debian 9x
Web: nginx + php-fpm

Re: Suggested fail2ban improvement.

Postby jodumont » Mon Jan 08, 2018 4:23 pm

Personnaly on debia9

I simply add in /etc/fail2ban/jail.local

Code: Select all

enabled = true
logpath  = /var/log/fail2ban.log
port     = all
protocol = all
bantime  = 604800  ; 1 week
findtime = 86400   ; 1 day
maxretry = 5

then restart the service

it's also seams to works ;)

Return to “Modification & Patches”

Who is online

Users browsing this forum: No registered users and 2 guests