Unix Server Tech Knowledge Base

User Tools

Site Tools

Trace:
software:fail2ban:blacklist

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Last revisionBoth sides next revision
software:fail2ban:blacklist [2019/08/13 01:44] – created rodolicosoftware:fail2ban:blacklist [2019/08/13 02:14] rodolico
Line 1: Line 1:
 ====== Blacklist IP's from a file ====== ====== Blacklist IP's from a file ======
  
-fail2ban is designed to dynamically watch logs and ban/unban IP's with bad reputations. However, with a little sneakiness, it can be abused to also load a list of permenantly banned IP addresses.+fail2ban is designed to dynamically watch logs and ban/unban IP's with bad reputations. However, with a little sneakiness, it can be abused to also load a list of permanently banned IP addresses. This is a drastic action, and can end up blocking legitimate users who gain IP's previously used for cracking attempts, so I tend to clean them up every once in a while. But, for me, it is a list of IP's that have done some extended hacking on my servers in the past, and this way, fail2ban doesn't have to monitor their attempts.
  
-First, we need to create an action, a file to be placed in action.d. I named it blacklistip.conf, and the name is important when you define the jail it goes in, ie action = blacklistip means //look in action.d for a file names blacklistip.conf and load it as the action//.+Basically, we create a custom action which creates its own chain (under fail2ban's control), loads the IP's, then that is all. The jail is there just to call the action the first time, and the filter is there because fail2ban requires one (and complains if you set it to null). 
 + 
 +We'll create three files, and add a block to jail.local 
 +  - list of IP's or subnets, one entry per line 
 +  - action file to be stored in actions.d/ 
 +  - dummy filter file to be stored in filters.d/ 
 +  - modify jail.local 
 + 
 +===== Blacklist File ===== 
 + 
 +This is a basic text file with one IP or subnet per line. I store mine in /etc/fail2ban on my Devuan Linux machine. An example is: 
 + 
 +<file text ip.blacklist> 
 +172.104.94.112 
 +190.40.235.20 
 +190.4.51.122 
 +210.186.135.78 
 +39.45.148.16 
 +193.93.16.14 
 +93.174.93.0/24 
 +</file> 
 + 
 +===== Action file ===== 
 +Now, we need to create an action, a file to be placed in action.d. I named it blacklistip.conf, and the name is important when you define the jail it goes in, ie action = blacklistip means //look in action.d for a file names blacklistip.conf and load it as the action//.
  
 <code conf action.d/blacklistip.conf> <code conf action.d/blacklistip.conf>
Line 38: Line 61:
 # taken directly from the multiport ban script, with the last line # taken directly from the multiport ban script, with the last line
 # inserted to load the IP file # inserted to load the IP file
 +# creates a chain, then loads all the IP's into it
 actionstart = <iptables> -N f2b-<name> actionstart = <iptables> -N f2b-<name>
               <iptables> -A f2b-<name> -j <returntype>               <iptables> -A f2b-<name> -j <returntype>
Line 45: Line 69:
  
 # these actions are taken when fail2ban is shut down # these actions are taken when fail2ban is shut down
-#+basically, destroys the chain
 actionstop = <iptables> -D <chain> -p <protocol> -j f2b-<name> actionstop = <iptables> -D <chain> -p <protocol> -j f2b-<name>
              <iptables> -F f2b-<name>              <iptables> -F f2b-<name>
Line 58: Line 82:
 </code> </code>
  
-Now, +===== Filter ===== 
 + 
 +Now, we need a filter, because we are abusing fail2ban. fail2ban assumes you're going to be parsing a log file to find bad guys attacking you, but we already know who we want to block. So, we create a dummy and store it in filter.d/blacklistip.conf. The name of the file is not arbitrary. It is the default based on the name of our jail definition (later). We could call it anything, but would need to add 
 + 
 +<code>filter = anything</code> 
 + 
 +to our jail if we do. This is simpler.
  
 <file conf filter.d/blacklistip.conf> <file conf filter.d/blacklistip.conf>
Line 78: Line 108:
 </file> </file>
  
-Finally, add the following block to jail.local+===== Modify jail.local ===== 
 + 
 +jail.local (in the root of the fail2ban configuration directory) is the place to make local modifications. Sowe need to add the following block to it. This basically defines a jail named //blacklistip//, which is enabled. Since we don't have a //filter =// line, the filter is assumed to be filter.d/blacklistip.conf. 
 + 
 +The action is specifically defined to be blacklistip (ie, action.d/blacklistip.conf), and we are passing the name of the chain to create (name=blacklistip) and the file name to be read from (filename='/etc/fail2ban/ip.blacklist').
  
 <code conf> <code conf>
Line 85: Line 119:
 action = blacklistip[name=blacklistip,filename='/etc/fail2ban/ip.blacklist'] action = blacklistip[name=blacklistip,filename='/etc/fail2ban/ip.blacklist']
 </code> </code>
 +
 +===== Test it =====
 +
 +Restart fail2ban, then run the following command as root.
 +
 +<code bash>iptables -n -L f2b-blacklistip</code>
 +
 +You should see a list of all the banned IP's, with an action of drop. And, when you stop fail2ban, it will clean them up also.
 +
 +===== Deficiencies =====
 +
 +Actually, this should be done on the router, since it will use some memory and processor on your server. Also, there is no way to dynamically add/remove IP's. You must modify the file, then restart fail2ban.
 +
 +Using fail2ban-client, you can add IP's (or remove them) from this list, so a simple script should be able to A) append/remove the IP from ip.blacklist
 +B) append/remove the IP from the f2b-blacklistip chain
 +but, I haven't written one yet.
 +
 +===== Links =====
 +
 +  * [[https://www.fail2ban.org/wiki/index.php/Commands]]
 +  * [[https://www.mauromascia.com/en/blog/fail2ban-set-permanent-ban-per-ip/]]
 +
 +
software/fail2ban/blacklist.txt · Last modified: 2019/08/17 20:21 by rodolico