For those who are not aware, fail2ban is a reactive tool that triggers actions when events occur. The most common uses are failed login attempts resulting in a firewall block. Today I’ll show you a handful of tricks I’ve used to help protect my systems.
Inside action.d/iptables-multiport.conf we will be changing 3 actions:
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
and then add this echo line below actionban and make sure the spaces line up:
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP echo <ip> >> /etc/fail2ban/ip.blacklist-<name>
Lastly change actionstart and add this line:
actionstart = iptables -N fail2ban-<name> iptables -A fail2ban-<name> -j RETURN iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name> /usr/bin/screen -d -m /etc/fail2ban/reload.sh <name>
Create an /etc/fail2ban/reload.sh script containing:
#!/bin/bash cat /etc/fail2ban/ip.blacklist-$1 | while read IP; do /sbin/iptables -I fail2ban-$1 1 -s $IP -j DROP; done
To test it, you should start to see files created in /etc/fail2ban/ looking like this:
Check your iptables, restart fail2ban and you should see iptables get repopulated.
Note: I have screen -d -m /etc/fail2ban/reload.sh which allows the iptables to be loaded in the background. Otherwise fail2ban actually hangs on start while it processes the iptables
If you ever find the need to unblock an ip, you will want to delete it from the blacklist and then restart fail2ban, or manually delete their entry from iptables.
Blocking Proxy Scanners
I originally built this due to proxy scanners slamming my server. Apparently once upon a time someone using the ip I currently had was on a proxy list and no one was removing it.
[Definition] #ban anything sending a CONNECT failregex = ^ - - \[.*(CONNECT |POST htt|HEAD http|GET http).*$ ignoreregex =