Page 1 of 1

Suggested fail2ban improvement.

Posted: Wed May 03, 2017 8:29 am
by plutocrat
I've been running this fail2ban modification on most of my other servers, so I thought I'd see if I could get it to work on Vesta. Basically, the regular fail2ban rules ban IPs for a couple of hours and then in some cases the IP is unbanned and resumes its attack. This modification searches through the fail2ban log for IPs that are banned several times over a day, and then implements a longer ban -- a month! That should give them the message.

Here are the pieces of the puzzle.

File /etc/fail2ban/filter.d/repeat-offender.conf

Code: Select all

# Fail2Ban configuration file
# Notes.: Looking through /var/log/fail2ban.log for many occurences of Ban
failregex = fail2ban.actions.*:\s+NOTICE\s+\[(?:.*)\]\s+Ban\s+<HOST>
ignoreregex = fail2ban.actions.*:\s+NOTICE\s+\[repeat-offender\]\s+Ban\s+<HOST>
In /etc/fail2ban/jail.local, ideally at the TOP, under the DEFAULT section

Code: Select all

enabled  = true
filter   = repeat-offender
action = vesta-repeat[name=REPEAT]
logpath  = /var/log/fail2ban.log
# If 3 bans in 24 hours, ban for a month
bantime = 2592000
findtime = 86400
maxretry = 3
I first tried to run the action through the original /etc/fail2ban/action.d/vesta.conf but that caused an error as REPEAT wasn't defined in /usr/local/vesta/bin/v-add-firewall-chain and it needed a "port" argument. So I copied the action.d/vesta.conf to vesta-repeat.conf and edited it. (obviously this would be better done in v-add-firewall-chain)

Code: Select all

actionstart = /usr/local/vesta/bin/v-add-firewall-chain <name> 22,25,465,587,2525,110,995,143,993,8043,80
actionstop = /usr/local/vesta/bin/v-delete-firewall-chain <name>
actioncheck = iptables -n -L INPUT | grep -q 'fail2ban-<name>[ \t]'
actionban = /usr/local/vesta/bin/v-add-firewall-ban <ip> <name> 22,25,465,587,2525,110,995,143,993,8043,80
actionunban = /usr/local/vesta/bin/v-delete-firewall-ban <ip> <name>
If I was nervous, I might remove the 8043 port from that, just in case it bans my IP address, although its usually possible to change my IP address and unlock it from that. Ideally I'd block all ports, except 8043.

That's about it. Seems to work for me, and I already have a couple of IPs on the 'naughty' list.

Re: Suggested fail2ban improvement.

Posted: Mon Jan 08, 2018 4:23 pm
by jodumont
Personnaly on debia9

I simply add in /etc/fail2ban/jail.local

Code: Select all

enabled = true
logpath  = /var/log/fail2ban.log
port     = all
protocol = all
bantime  = 604800  ; 1 week
findtime = 86400   ; 1 day
maxretry = 5
then restart the service

it's also seams to works ;)