Page 1 of 1

Suggested fail2ban improvement.

Posted: Wed May 03, 2017 8:29 am
by plutocrat
Hi,
I've been running this fail2ban modification on most of my other servers, so I thought I'd see if I could get it to work on Vesta. Basically, the regular fail2ban rules ban IPs for a couple of hours and then in some cases the IP is unbanned and resumes its attack. This modification searches through the fail2ban log for IPs that are banned several times over a day, and then implements a longer ban -- a month! That should give them the message.

Here are the pieces of the puzzle.

File /etc/fail2ban/filter.d/repeat-offender.conf

Code: Select all

# Fail2Ban configuration file
# Notes.: Looking through /var/log/fail2ban.log for many occurences of Ban
[Definition]
failregex = fail2ban.actions.*:\s+NOTICE\s+\[(?:.*)\]\s+Ban\s+<HOST>
ignoreregex = fail2ban.actions.*:\s+NOTICE\s+\[repeat-offender\]\s+Ban\s+<HOST>
In /etc/fail2ban/jail.local, ideally at the TOP, under the DEFAULT section

Code: Select all

[repeat-iptables]
enabled  = true
filter   = repeat-offender
action = vesta-repeat[name=REPEAT]
logpath  = /var/log/fail2ban.log
# If 3 bans in 24 hours, ban for a month
bantime = 2592000
findtime = 86400
maxretry = 3
I first tried to run the action through the original /etc/fail2ban/action.d/vesta.conf but that caused an error as REPEAT wasn't defined in /usr/local/vesta/bin/v-add-firewall-chain and it needed a "port" argument. So I copied the action.d/vesta.conf to vesta-repeat.conf and edited it. (obviously this would be better done in v-add-firewall-chain)

Code: Select all

[Definition]
actionstart = /usr/local/vesta/bin/v-add-firewall-chain <name> 22,25,465,587,2525,110,995,143,993,8043,80
actionstop = /usr/local/vesta/bin/v-delete-firewall-chain <name>
actioncheck = iptables -n -L INPUT | grep -q 'fail2ban-<name>[ \t]'
actionban = /usr/local/vesta/bin/v-add-firewall-ban <ip> <name> 22,25,465,587,2525,110,995,143,993,8043,80
actionunban = /usr/local/vesta/bin/v-delete-firewall-ban <ip> <name>
If I was nervous, I might remove the 8043 port from that, just in case it bans my IP address, although its usually possible to change my IP address and unlock it from that. Ideally I'd block all ports, except 8043.

That's about it. Seems to work for me, and I already have a couple of IPs on the 'naughty' list.

Re: Suggested fail2ban improvement.

Posted: Mon Jan 08, 2018 4:23 pm
by jodumont
Personnaly on debia9

I simply add in /etc/fail2ban/jail.local

Code: Select all

[recidive]
enabled = true
logpath  = /var/log/fail2ban.log
port     = all
protocol = all
bantime  = 604800  ; 1 week
findtime = 86400   ; 1 day
maxretry = 5
then restart the service

it's also seams to works ;)

Re: Suggested fail2ban improvement.

Posted: Fri May 03, 2019 7:15 pm
by Elfy
Fantastic suggestion. Trying to bolster my firewall/intrusion prevention so I implemented this and I already have several repeat offenders in my ban list.

Would it be possible to use the "port=" argument in fail2ban "jail.local" to pass the ports so you don't need to create a new action.d file "vesta-repeat.conf"? Something like this:

Code: Select all

[repeat-iptables] # If 3 bans in 24 hours, ban for a month
enabled  = true
filter   = repeat-offender
action   = vesta[name=REPEA, port='22,25,465,587,2525,110,995,143,993,80']
logpath  = /var/log/fail2ban.log
bantime  = 2592000
findtime = 86400
maxretry = 3
I tried it but it didn't seem to work, but perhaps somebody more clever than I can get it to work.

Thanks!

Re: Suggested fail2ban improvement.

Posted: Mon May 20, 2019 5:14 am
by compiz
Thanks for this info!
I am having one problem though, in my network there are 3 pc and 2 phones connecting to multiple mail accounts on my server, some share some mail accounts, after like 30 minutes or so, the server bans my ip and nobody can connect! Not even me in ssh nor in vestacp page, is there any filter I can mod to allow multiple successfull connections from 1 IP?
I can understand the ban if I do wrong password but to ban people who are successfully logged in is bad!

Re: Suggested fail2ban improvement.

Posted: Sat Jul 27, 2019 8:12 am
by plutocrat
https://www.fail2ban.org/wiki/index.php/Whitelist

Whitelisting
Whitelisting is setup in the jail.conf file using a space separated list.

[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.

ignoreip = 127.0.0.1 192.168.1.0/24 8.8.8.8