Fail2Ban
Manually unban IP
To unban a IP:
fail2ban-client set JAIL unbanip MYIP
Standard config
Edit /usr/local/etc/fail2ban/jail.local:
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = localhost 192.168.0.251
# "bantime" is the number of seconds that a host is banned.
bantime = 21600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 259200
# "maxretry" is the number of failures before a host get banned.
maxretry = 3
[ssh]
enabled = true
filter = bsd-sshd
logpath = /var/log/auth.log
[asterisk]
enabled = true
filter = asterisk
logpath = /var/log/asterisk/full
[dovecot]
enabled = true
filter = dovecot
[apache-auth]
enabled = true
filter = apache-auth
maxretry = 8
apache_error_log = /usr/home/http/*/logs/error.log
apache_access_log = /usr/home/http/*/logs/access.log
[apache-badbots]
enabled = true
filter = apache-badbots
apache_error_log = /usr/home/http/*/logs/error.log
apache_access_log = /usr/home/http/*/logs/access.log
[apache-botsearch]
enabled = true
filter = apache-botsearch
apache_error_log = /usr/home/http/*/logs/error.log
apache_access_log = /usr/home/http/*/logs/access.log
[apache-noscript]
enabled = true
filter = apache-noscript
apache_error_log = /usr/home/http/*/logs/error.log
apache_access_log = /usr/home/http/*/logs/access.log
[apache-overflows]
enabled = true
filter = apache-overflows
apache_error_log = /usr/home/http/*/logs/error.log
apache_access_log = /usr/home/http/*/logs/access.log
[postfix]
enabled = true
filter = postfix
[postfix-sasl]
enabled = true
filter = postfix-sasl
Drop connection while blocking
Some services like asterisk are not dropping a connection after a configurable amount of failures. So we add an action to fail2ban to help us here.
At first create a new file /usr/local/etc/fail2ban/action.d/tcpdrop.conf:
# Fail2Ban configuration file
#
# tcpdrop used to drop all opened tcp connections.
#
# Author: Matthias Fechner <idefix@fechner.net>
#
#
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
# we don't enable tcpdrop automatically, as it will be enabled elsewhere
actionstart =
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
# we don't disable tcpdrop automatically either
actionstop =
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
actionban = tcpdrop -l -a | grep <ip> | sh
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
# note -r option used to remove matching rule
actionunban =
Now we configure fail2ban to use the action pf and tcpdrop to block connections. Edit the file /usr/local/etc/fail2ban/jail.local:
[DEFAULT]
banaction = pf
action_drop = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
tcpdrop[name=%(__name__)s, port="%(port)s", protocol=%(protocol)s"]
action = %(action_drop)s