Friday, January 31, 2014

Protect your server with Fail2Ban

Fail2Ban is one of the must have security features for your server. It is a nifty peice of code, which detects annomalies from the log files and bans IP address for a period o time.

However I do not like users trying to access my server and if they break a rule, I would liked them banned forever. Fail2Ban does this but at system reset or reboot these IP addresses are lost.

But this can be easily fixed by saving these files.
In my server I have added these lines to  /etc/fail2ban/filter.d/iptables.conf

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = iptables -N fail2ban-<name>
              iptables -A fail2ban-<name> -j RETURN
              iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name>
              cat /opt/ip.blacklist-<name> | while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j DROP; done

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
            echo '<ip>' >> /opt/ip.blacklist-<name>

No comments:

Post a Comment