Fail2Ban

May 15, 2014
3 min read
Jun 30, 2023 16:33 EEST

Manually unban IP

To unban a IP:

fail2ban-client set JAIL unbanip MYIP

Standard config

Edit /usr/local/etc/fail2ban/jail.local:

[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = localhost 192.168.0.251

# "bantime" is the number of seconds that a host is banned.
bantime  = 21600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 259200

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

[ssh]
enabled = true
filter = bsd-sshd
logpath = /var/log/auth.log

[asterisk]
enabled = true
filter = asterisk
logpath = /var/log/asterisk/full

[dovecot]
enabled = true
filter = dovecot

[apache-auth]
enabled = true
filter = apache-auth
maxretry = 8
apache_error_log = /usr/home/http/*/logs/error.log
apache_access_log = /usr/home/http/*/logs/access.log

[apache-badbots]
enabled = true
filter = apache-badbots
apache_error_log = /usr/home/http/*/logs/error.log
apache_access_log = /usr/home/http/*/logs/access.log

[apache-botsearch]
enabled = true
filter = apache-botsearch
apache_error_log = /usr/home/http/*/logs/error.log
apache_access_log = /usr/home/http/*/logs/access.log

[apache-noscript]
enabled = true
filter = apache-noscript
apache_error_log = /usr/home/http/*/logs/error.log
apache_access_log = /usr/home/http/*/logs/access.log

[apache-overflows]
enabled = true
filter = apache-overflows
apache_error_log = /usr/home/http/*/logs/error.log
apache_access_log = /usr/home/http/*/logs/access.log

[postfix]
enabled = true
filter = postfix

[postfix-sasl]
enabled = true
filter = postfix-sasl

Drop connection while blocking

Some services like asterisk are not dropping a connection after a configurable amount of failures. So we add an action to fail2ban to help us here.

At first create a new file /usr/local/etc/fail2ban/action.d/tcpdrop.conf:

# Fail2Ban configuration file
#
# tcpdrop used to drop all opened tcp connections.
#
# Author: Matthias Fechner <idefix@fechner.net>
#
#

[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
# we don't enable tcpdrop automatically, as it will be enabled elsewhere
actionstart =


# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
# we don't disable tcpdrop automatically either
actionstop =


# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck =


# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
actionban = tcpdrop -l -a | grep <ip> | sh


# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
# note -r option used to remove matching rule
actionunban =

Now we configure fail2ban to use the action pf and tcpdrop to block connections. Edit the file /usr/local/etc/fail2ban/jail.local:

[DEFAULT]
banaction = pf
action_drop = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             tcpdrop[name=%(__name__)s, port="%(port)s", protocol=%(protocol)s"]

action = %(action_drop)s

Related Posts