Fail2ban hax

Intro

For those who are not aware, fail2ban is a reactive tool that triggers actions when events occur. The most common uses are failed login attempts resulting in a firewall block. Today I’ll show you a handful of tricks I’ve used to help protect my systems.

Permanent banning

Step 1.
Inside action.d/iptables-multiport.conf we will be changing 3 actions:
Change:
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
to:
actionunban =

and then add this echo line below actionban and make sure the spaces line up:

actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
            echo <ip> >> /etc/fail2ban/ip.blacklist-<name>

Lastly change actionstart and add this line:

actionstart = iptables -N fail2ban-<name>
             iptables -A fail2ban-<name> -j RETURN
             iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
             /usr/bin/screen -d -m /etc/fail2ban/reload.sh <name>

 

Step 2.
Create an /etc/fail2ban/reload.sh script containing:

#!/bin/bash

cat /etc/fail2ban/ip.blacklist-$1 | while read IP; do /sbin/iptables -I fail2ban-$1 1 -s $IP -j DROP; done

Step 3.
To test it, you should start to see files created in /etc/fail2ban/ looking like this:
ip.blacklist-apache-connect
ip.blacklist-pure-ftpd

Check your iptables, restart fail2ban and you should see iptables get repopulated.

Note: I have screen -d -m /etc/fail2ban/reload.sh which allows the iptables to be loaded in the background. Otherwise fail2ban actually hangs on start while it processes the iptables

If you ever find the need to unblock an ip, you will want to delete it from the blacklist and then restart fail2ban, or manually delete their entry from iptables.

Blocking Proxy Scanners

I originally built this due to proxy scanners slamming my server. Apparently once upon a time someone using the ip I currently had was on a proxy list and no one was removing it. filter.d/apache-connect.conf:

[Definition]
#ban anything sending a CONNECT
failregex = ^ - - \[.*(CONNECT |POST htt|HEAD http|GET http).*$
ignoreregex =

 

No Comments Yet

Leave a Reply

Your email address will not be published. Required fields are marked *