Fail2Ban: Jails, filters, and time tricks
Fail2Ban is a brilliant piece of IDS (Intrusion Detection Software) that I've got a crush on.
I've developed a couple "jails" -- rules for banning IP addresses.
First, a couple thoughts, tricks, and tips:
- First, maxretry should probably be called maxattempts, as I don't want any retries on logging in as root via ssh.
-
A handy way of dealing with findtime and bantime is to create these aliases:
## bantime of 3600 = 60*60 = one hour
## bantime of 86400 = 60*60*24 = one day
## bantime of 604800 = 60*60*24*7 = one week
## bantime of 2592000 = 60*60*24*30 = (approx) one month
## bantime of 31536000 = 60*60*24*365 = (approx) one year
one_hour = 3600
one_day = 86400
one_week = 604800
one_month = 2592000
one_year = 31536000Then refer to them like this:
findtime = %(one_week)s
bantime = %(one_week)sNOTE the %(...)s do NOT forget trailing "s"!
-
Actions can be chained. I wanted to both ban users and email myself, so I did this:
action = iptables-multiport[name=apache-phpmyadmin,
port="http,https", protocol=tcp] %(action_mwl)sNOTE the %(...)s do NOT forget trailing "s"!
I've had emails saying Fail2ban had banned an IP, but testing showed it didn't. WTF?!? This is important that this works!
When you run a new jail, or start one, also run:
sudo iptables -n --listand watch for a "chain" for each of your jails, and, make sure each chain has a reference, like this:
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
If there are 0 (zero) references, then reload the chain's jail like this:
(substituting name of your jail with no references).
What happens is, sometimes the INPUT chain doesn't refer any packets to the fail2ban chain(s), so you'll get an email saying a ban has happened, but it hasn't taken effect, and leaves cryptic messages in /var/log/fail2ban.log.
Good luck with your fail2ban installation!
| Attachment | Size |
|---|---|
 apache-phpmyadmin.local | 1.96 KB |
| apache-verboten4bots.local | 665 bytes |