Added section for recidivist jail
This commit is contained in:
		
							parent
							
								
									57c4524578
								
							
						
					
					
						commit
						8f07b5810a
					
				
							
								
								
									
										57
									
								
								README.md
									
									
									
									
									
								
							
							
						
						
									
										57
									
								
								README.md
									
									
									
									
									
								
							| @ -24,6 +24,7 @@ | |||||||
|     - [Jail-specific settings](#jail-specific-settings) |     - [Jail-specific settings](#jail-specific-settings) | ||||||
| - [The UFW filter regex (/etc/fail2ban/filter.d/ufw-probe.conf)](#the-ufw-filter-regex-etcfail2banfilterdufw-probeconf) | - [The UFW filter regex (/etc/fail2ban/filter.d/ufw-probe.conf)](#the-ufw-filter-regex-etcfail2banfilterdufw-probeconf) | ||||||
| - [The action file (/etc/fail2ban/action.d/ufw.conf)](#the-action-file-etcfail2banactiondufwconf) | - [The action file (/etc/fail2ban/action.d/ufw.conf)](#the-action-file-etcfail2banactiondufwconf) | ||||||
|  | - [Repeat offenders](#repeat-offenders) | ||||||
| - [Final thoughts](#final-thoughts) | - [Final thoughts](#final-thoughts) | ||||||
| 
 | 
 | ||||||
| ## Overview | ## Overview | ||||||
| @ -376,6 +377,62 @@ otherwise defined (i.e. allowed) traffic. | |||||||
| 
 | 
 | ||||||
| The '*actionunban*' simply deletes the rule to remove the block. | The '*actionunban*' simply deletes the rule to remove the block. | ||||||
| 
 | 
 | ||||||
|  | ## Repeat offenders | ||||||
|  | 
 | ||||||
|  | In some cases, the same systems will continue probing your system even after | ||||||
|  | being banned several times.  I choose to call these '*recidivists*' and setup a | ||||||
|  | special jail for them. | ||||||
|  | 
 | ||||||
|  | The *recidivist jail* scans the *fail2ban* log to search for systems that have | ||||||
|  | been issued a certain threshold number of bans already.  If any are found, they | ||||||
|  | are issued a longer-term ban.  Let's go though the configuration: | ||||||
|  | 
 | ||||||
|  | The beginning of the file should already be familiar to you along with the fact | ||||||
|  | that the '*ignoreip*' parameter is optional. | ||||||
|  | 
 | ||||||
|  | Remember that we are searching for repeat offenders.  In other words, they have | ||||||
|  | already been issued a ban by F2B so their IP will already appear in F2B's log, | ||||||
|  | which is why we are searching that file. | ||||||
|  | 
 | ||||||
|  | ```Ini | ||||||
|  | logpath   = /var/log/fail2ban.log | ||||||
|  | ``` | ||||||
|  | 
 | ||||||
|  | Timeframes here present a bit of a twist in thinking.  In this case, | ||||||
|  | '*maxretry*' refers to how many previous bans have been issued in '*findtime*' | ||||||
|  | period. | ||||||
|  | 
 | ||||||
|  | ```Ini | ||||||
|  | maxretry    = 3 | ||||||
|  | findtime    = 86400 | ||||||
|  | ``` | ||||||
|  | 
 | ||||||
|  | In this example, I'm saying that if a particular host has already been banned 3 | ||||||
|  | times in the last 24 hours (86400 seconds), then they need to be put in this | ||||||
|  | jail!  You should adjust these values to reflect your tolerance levels for | ||||||
|  | repeat offenders.  **Note: The '*dbpurgeage*' you specified in your | ||||||
|  | */etc/fail2ban/fail2ban.conf* file must be at least as long as your '*findtime*' | ||||||
|  | parameter here so there's enough history for F2B to review!** | ||||||
|  | 
 | ||||||
|  | The entire point of this jail is to levy longer bantimes than ordinary jails | ||||||
|  | which generally use the default set in '*/etc/fail2ban/jail.conf*'. | ||||||
|  | Therefore, we explictly specify a time here, 3 days in this case: | ||||||
|  | 
 | ||||||
|  | ```Ini | ||||||
|  | bantime     = 259200 | ||||||
|  | ``` | ||||||
|  | 
 | ||||||
|  | Finally, we need to let F2B know what filter to use when parsing it's own log | ||||||
|  | file. We'll use the *recidive* filter provided by F2B for exactly this purpose. | ||||||
|  | Since we are calling this filter from a jail with a different name (i.e. the | ||||||
|  | jail is not also called 'recidive'), we have to make that clear to the filter. | ||||||
|  | Finally, we also enable the jail. | ||||||
|  | 
 | ||||||
|  | ```Ini | ||||||
|  | filter      = recidive[_jailname="recidivist"] | ||||||
|  | enabled     = true | ||||||
|  | ``` | ||||||
|  | 
 | ||||||
| ## Final thoughts | ## Final thoughts | ||||||
| 
 | 
 | ||||||
| Well, that's it.  Fail2Ban will now monitor SSH intrusion attempts and will also | Well, that's it.  Fail2Ban will now monitor SSH intrusion attempts and will also | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user