Suggested fail2ban improvement.
Posted: Wed May 03, 2017 8:29 am
Hi,
I've been running this fail2ban modification on most of my other servers, so I thought I'd see if I could get it to work on Vesta. Basically, the regular fail2ban rules ban IPs for a couple of hours and then in some cases the IP is unbanned and resumes its attack. This modification searches through the fail2ban log for IPs that are banned several times over a day, and then implements a longer ban -- a month! That should give them the message.
Here are the pieces of the puzzle.
File /etc/fail2ban/filter.d/repeat-offender.conf
In /etc/fail2ban/jail.local, ideally at the TOP, under the DEFAULT section
I first tried to run the action through the original /etc/fail2ban/action.d/vesta.conf but that caused an error as REPEAT wasn't defined in /usr/local/vesta/bin/v-add-firewall-chain and it needed a "port" argument. So I copied the action.d/vesta.conf to vesta-repeat.conf and edited it. (obviously this would be better done in v-add-firewall-chain)
If I was nervous, I might remove the 8043 port from that, just in case it bans my IP address, although its usually possible to change my IP address and unlock it from that. Ideally I'd block all ports, except 8043.
That's about it. Seems to work for me, and I already have a couple of IPs on the 'naughty' list.
I've been running this fail2ban modification on most of my other servers, so I thought I'd see if I could get it to work on Vesta. Basically, the regular fail2ban rules ban IPs for a couple of hours and then in some cases the IP is unbanned and resumes its attack. This modification searches through the fail2ban log for IPs that are banned several times over a day, and then implements a longer ban -- a month! That should give them the message.
Here are the pieces of the puzzle.
File /etc/fail2ban/filter.d/repeat-offender.conf
Code: Select all
# Fail2Ban configuration file
# Notes.: Looking through /var/log/fail2ban.log for many occurences of Ban
[Definition]
failregex = fail2ban.actions.*:\s+NOTICE\s+\[(?:.*)\]\s+Ban\s+<HOST>
ignoreregex = fail2ban.actions.*:\s+NOTICE\s+\[repeat-offender\]\s+Ban\s+<HOST>
Code: Select all
[repeat-iptables]
enabled = true
filter = repeat-offender
action = vesta-repeat[name=REPEAT]
logpath = /var/log/fail2ban.log
# If 3 bans in 24 hours, ban for a month
bantime = 2592000
findtime = 86400
maxretry = 3
Code: Select all
[Definition]
actionstart = /usr/local/vesta/bin/v-add-firewall-chain <name> 22,25,465,587,2525,110,995,143,993,8043,80
actionstop = /usr/local/vesta/bin/v-delete-firewall-chain <name>
actioncheck = iptables -n -L INPUT | grep -q 'fail2ban-<name>[ \t]'
actionban = /usr/local/vesta/bin/v-add-firewall-ban <ip> <name> 22,25,465,587,2525,110,995,143,993,8043,80
actionunban = /usr/local/vesta/bin/v-delete-firewall-ban <ip> <name>
That's about it. Seems to work for me, and I already have a couple of IPs on the 'naughty' list.