Added section for recidivist jail

This commit is contained in:
Asif Bacchus 2018-09-30 01:44:21 -06:00
parent 57c4524578
commit 8f07b5810a

View File

@ -24,6 +24,7 @@
- [Jail-specific settings](#jail-specific-settings) - [Jail-specific settings](#jail-specific-settings)
- [The UFW filter regex (/etc/fail2ban/filter.d/ufw-probe.conf)](#the-ufw-filter-regex-etcfail2banfilterdufw-probeconf) - [The UFW filter regex (/etc/fail2ban/filter.d/ufw-probe.conf)](#the-ufw-filter-regex-etcfail2banfilterdufw-probeconf)
- [The action file (/etc/fail2ban/action.d/ufw.conf)](#the-action-file-etcfail2banactiondufwconf) - [The action file (/etc/fail2ban/action.d/ufw.conf)](#the-action-file-etcfail2banactiondufwconf)
- [Repeat offenders](#repeat-offenders)
- [Final thoughts](#final-thoughts) - [Final thoughts](#final-thoughts)
## Overview ## Overview
@ -376,6 +377,62 @@ otherwise defined (i.e. allowed) traffic.
The '*actionunban*' simply deletes the rule to remove the block. The '*actionunban*' simply deletes the rule to remove the block.
## Repeat offenders
In some cases, the same systems will continue probing your system even after
being banned several times. I choose to call these '*recidivists*' and setup a
special jail for them.
The *recidivist jail* scans the *fail2ban* log to search for systems that have
been issued a certain threshold number of bans already. If any are found, they
are issued a longer-term ban. Let's go though the configuration:
The beginning of the file should already be familiar to you along with the fact
that the '*ignoreip*' parameter is optional.
Remember that we are searching for repeat offenders. In other words, they have
already been issued a ban by F2B so their IP will already appear in F2B's log,
which is why we are searching that file.
```Ini
logpath = /var/log/fail2ban.log
```
Timeframes here present a bit of a twist in thinking. In this case,
'*maxretry*' refers to how many previous bans have been issued in '*findtime*'
period.
```Ini
maxretry = 3
findtime = 86400
```
In this example, I'm saying that if a particular host has already been banned 3
times in the last 24 hours (86400 seconds), then they need to be put in this
jail! You should adjust these values to reflect your tolerance levels for
repeat offenders. **Note: The '*dbpurgeage*' you specified in your
*/etc/fail2ban/fail2ban.conf* file must be at least as long as your '*findtime*'
parameter here so there's enough history for F2B to review!**
The entire point of this jail is to levy longer bantimes than ordinary jails
which generally use the default set in '*/etc/fail2ban/jail.conf*'.
Therefore, we explictly specify a time here, 3 days in this case:
```Ini
bantime = 259200
```
Finally, we need to let F2B know what filter to use when parsing it's own log
file. We'll use the *recidive* filter provided by F2B for exactly this purpose.
Since we are calling this filter from a jail with a different name (i.e. the
jail is not also called 'recidive'), we have to make that clear to the filter.
Finally, we also enable the jail.
```Ini
filter = recidive[_jailname="recidivist"]
enabled = true
```
## Final thoughts ## Final thoughts
Well, that's it. Fail2Ban will now monitor SSH intrusion attempts and will also Well, that's it. Fail2Ban will now monitor SSH intrusion attempts and will also