We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Suggested fail2ban improvement.
Suggested fail2ban improvement.
Hi,
I've been running this fail2ban modification on most of my other servers, so I thought I'd see if I could get it to work on Vesta. Basically, the regular fail2ban rules ban IPs for a couple of hours and then in some cases the IP is unbanned and resumes its attack. This modification searches through the fail2ban log for IPs that are banned several times over a day, and then implements a longer ban -- a month! That should give them the message.
Here are the pieces of the puzzle.
File /etc/fail2ban/filter.d/repeat-offender.conf
In /etc/fail2ban/jail.local, ideally at the TOP, under the DEFAULT section
I first tried to run the action through the original /etc/fail2ban/action.d/vesta.conf but that caused an error as REPEAT wasn't defined in /usr/local/vesta/bin/v-add-firewall-chain and it needed a "port" argument. So I copied the action.d/vesta.conf to vesta-repeat.conf and edited it. (obviously this would be better done in v-add-firewall-chain)
If I was nervous, I might remove the 8043 port from that, just in case it bans my IP address, although its usually possible to change my IP address and unlock it from that. Ideally I'd block all ports, except 8043.
That's about it. Seems to work for me, and I already have a couple of IPs on the 'naughty' list.
I've been running this fail2ban modification on most of my other servers, so I thought I'd see if I could get it to work on Vesta. Basically, the regular fail2ban rules ban IPs for a couple of hours and then in some cases the IP is unbanned and resumes its attack. This modification searches through the fail2ban log for IPs that are banned several times over a day, and then implements a longer ban -- a month! That should give them the message.
Here are the pieces of the puzzle.
File /etc/fail2ban/filter.d/repeat-offender.conf
Code: Select all
# Fail2Ban configuration file
# Notes.: Looking through /var/log/fail2ban.log for many occurences of Ban
[Definition]
failregex = fail2ban.actions.*:\s+NOTICE\s+\[(?:.*)\]\s+Ban\s+<HOST>
ignoreregex = fail2ban.actions.*:\s+NOTICE\s+\[repeat-offender\]\s+Ban\s+<HOST>
Code: Select all
[repeat-iptables]
enabled = true
filter = repeat-offender
action = vesta-repeat[name=REPEAT]
logpath = /var/log/fail2ban.log
# If 3 bans in 24 hours, ban for a month
bantime = 2592000
findtime = 86400
maxretry = 3
Code: Select all
[Definition]
actionstart = /usr/local/vesta/bin/v-add-firewall-chain <name> 22,25,465,587,2525,110,995,143,993,8043,80
actionstop = /usr/local/vesta/bin/v-delete-firewall-chain <name>
actioncheck = iptables -n -L INPUT | grep -q 'fail2ban-<name>[ \t]'
actionban = /usr/local/vesta/bin/v-add-firewall-ban <ip> <name> 22,25,465,587,2525,110,995,143,993,8043,80
actionunban = /usr/local/vesta/bin/v-delete-firewall-ban <ip> <name>
That's about it. Seems to work for me, and I already have a couple of IPs on the 'naughty' list.
Re: Suggested fail2ban improvement.
Personnaly on debia9
I simply add in /etc/fail2ban/jail.local
then restart the service
it's also seams to works ;)
I simply add in /etc/fail2ban/jail.local
Code: Select all
[recidive]
enabled = true
logpath = /var/log/fail2ban.log
port = all
protocol = all
bantime = 604800 ; 1 week
findtime = 86400 ; 1 day
maxretry = 5
it's also seams to works ;)
Re: Suggested fail2ban improvement.
Fantastic suggestion. Trying to bolster my firewall/intrusion prevention so I implemented this and I already have several repeat offenders in my ban list.
Would it be possible to use the "port=" argument in fail2ban "jail.local" to pass the ports so you don't need to create a new action.d file "vesta-repeat.conf"? Something like this:
I tried it but it didn't seem to work, but perhaps somebody more clever than I can get it to work.
Thanks!
Would it be possible to use the "port=" argument in fail2ban "jail.local" to pass the ports so you don't need to create a new action.d file "vesta-repeat.conf"? Something like this:
Code: Select all
[repeat-iptables] # If 3 bans in 24 hours, ban for a month
enabled = true
filter = repeat-offender
action = vesta[name=REPEA, port='22,25,465,587,2525,110,995,143,993,80']
logpath = /var/log/fail2ban.log
bantime = 2592000
findtime = 86400
maxretry = 3
Thanks!
Last edited by Elfy on Tue May 21, 2019 10:04 pm, edited 1 time in total.
Re: Suggested fail2ban improvement.
Thanks for this info!
I am having one problem though, in my network there are 3 pc and 2 phones connecting to multiple mail accounts on my server, some share some mail accounts, after like 30 minutes or so, the server bans my ip and nobody can connect! Not even me in ssh nor in vestacp page, is there any filter I can mod to allow multiple successfull connections from 1 IP?
I can understand the ban if I do wrong password but to ban people who are successfully logged in is bad!
I am having one problem though, in my network there are 3 pc and 2 phones connecting to multiple mail accounts on my server, some share some mail accounts, after like 30 minutes or so, the server bans my ip and nobody can connect! Not even me in ssh nor in vestacp page, is there any filter I can mod to allow multiple successfull connections from 1 IP?
I can understand the ban if I do wrong password but to ban people who are successfully logged in is bad!
Re: Suggested fail2ban improvement.
https://www.fail2ban.org/wiki/index.php/Whitelist
Whitelisting
Whitelisting is setup in the jail.conf file using a space separated list.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1 192.168.1.0/24 8.8.8.8
Whitelisting
Whitelisting is setup in the jail.conf file using a space separated list.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1 192.168.1.0/24 8.8.8.8
Re: Suggested fail2ban improvement.
That requires static ip no? we don't have that thoughplutocrat wrote: ↑Sat Jul 27, 2019 8:12 amhttps://www.fail2ban.org/wiki/index.php/Whitelist
Whitelisting
Whitelisting is setup in the jail.conf file using a space separated list.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1 192.168.1.0/24 8.8.8.8