Added section for recidivist jail
This commit is contained in:
Asif Bacchus
parent
57c4524578
commit
8f07b5810a
89
README.md
89
README.md
@ -5,25 +5,26 @@
|
|||||||
- [Overview](#overview)
|
- [Overview](#overview)
|
||||||
- [Installing an up-to-date Fail2Ban version](#installing-an-up-to-date-fail2ban-version)
|
- [Installing an up-to-date Fail2Ban version](#installing-an-up-to-date-fail2ban-version)
|
||||||
- [Customizing your set up](#customizing-your-set-up)
|
- [Customizing your set up](#customizing-your-set-up)
|
||||||
- [/etc/fail2ban/fail2ban.conf](#etcfail2banfail2banconf)
|
- [/etc/fail2ban/fail2ban.conf](#etcfail2banfail2banconf)
|
||||||
- [loglevel](#loglevel)
|
- [loglevel](#loglevel)
|
||||||
- [logtarget](#logtarget)
|
- [logtarget](#logtarget)
|
||||||
- [dbpurgeage](#dbpurgeage)
|
- [dbpurgeage](#dbpurgeage)
|
||||||
- [/etc/fail2ban/jail.local](#etcfail2banjaillocal)
|
- [/etc/fail2ban/jail.local](#etcfail2banjaillocal)
|
||||||
- [ignoreip](#ignoreip)
|
- [ignoreip](#ignoreip)
|
||||||
- [Timeframes](#timeframes)
|
- [Timeframes](#timeframes)
|
||||||
- [Actions](#actions)
|
- [Actions](#actions)
|
||||||
- [Notication options](#notication-options)
|
- [Notication options](#notication-options)
|
||||||
- [Shortcuts](#shortcuts)
|
- [Shortcuts](#shortcuts)
|
||||||
- [Jails](#jails)
|
- [Jails](#jails)
|
||||||
- [sshd (/etc/fail2ban/jail.d/ssh.conf)](#sshd-etcfail2banjaildsshconf)
|
- [sshd (/etc/fail2ban/jail.d/ssh.conf)](#sshd-etcfail2banjaildsshconf)
|
||||||
- [UFW port probing](#ufw-port-probing)
|
- [UFW port probing](#ufw-port-probing)
|
||||||
- [Name of the jail](#name-of-the-jail)
|
- [Name of the jail](#name-of-the-jail)
|
||||||
- [Ports and IPs](#ports-and-ips)
|
- [Ports and IPs](#ports-and-ips)
|
||||||
- [Timeframes](#timeframes)
|
- [Timeframes](#timeframes)
|
||||||
- [Jail-specific settings](#jail-specific-settings)
|
- [Jail-specific settings](#jail-specific-settings)
|
||||||
- [The UFW filter regex (/etc/fail2ban/filter.d/ufw-probe.conf)](#the-ufw-filter-regex-etcfail2banfilterdufw-probeconf)
|
- [The UFW filter regex (/etc/fail2ban/filter.d/ufw-probe.conf)](#the-ufw-filter-regex-etcfail2banfilterdufw-probeconf)
|
||||||
- [The action file (/etc/fail2ban/action.d/ufw.conf)](#the-action-file-etcfail2banactiondufwconf)
|
- [The action file (/etc/fail2ban/action.d/ufw.conf)](#the-action-file-etcfail2banactiondufwconf)
|
||||||
|
- [Repeat offenders](#repeat-offenders)
|
||||||
- [Final thoughts](#final-thoughts)
|
- [Final thoughts](#final-thoughts)
|
||||||
|
|
||||||
## Overview
|
## Overview
|
||||||
@ -376,6 +377,62 @@ otherwise defined (i.e. allowed) traffic.
|
|||||||
|
|
||||||
The '*actionunban*' simply deletes the rule to remove the block.
|
The '*actionunban*' simply deletes the rule to remove the block.
|
||||||
|
|
||||||
|
## Repeat offenders
|
||||||
|
|
||||||
|
In some cases, the same systems will continue probing your system even after
|
||||||
|
being banned several times. I choose to call these '*recidivists*' and setup a
|
||||||
|
special jail for them.
|
||||||
|
|
||||||
|
The *recidivist jail* scans the *fail2ban* log to search for systems that have
|
||||||
|
been issued a certain threshold number of bans already. If any are found, they
|
||||||
|
are issued a longer-term ban. Let's go though the configuration:
|
||||||
|
|
||||||
|
The beginning of the file should already be familiar to you along with the fact
|
||||||
|
that the '*ignoreip*' parameter is optional.
|
||||||
|
|
||||||
|
Remember that we are searching for repeat offenders. In other words, they have
|
||||||
|
already been issued a ban by F2B so their IP will already appear in F2B's log,
|
||||||
|
which is why we are searching that file.
|
||||||
|
|
||||||
|
```Ini
|
||||||
|
logpath = /var/log/fail2ban.log
|
||||||
|
```
|
||||||
|
|
||||||
|
Timeframes here present a bit of a twist in thinking. In this case,
|
||||||
|
'*maxretry*' refers to how many previous bans have been issued in '*findtime*'
|
||||||
|
period.
|
||||||
|
|
||||||
|
```Ini
|
||||||
|
maxretry = 3
|
||||||
|
findtime = 86400
|
||||||
|
```
|
||||||
|
|
||||||
|
In this example, I'm saying that if a particular host has already been banned 3
|
||||||
|
times in the last 24 hours (86400 seconds), then they need to be put in this
|
||||||
|
jail! You should adjust these values to reflect your tolerance levels for
|
||||||
|
repeat offenders. **Note: The '*dbpurgeage*' you specified in your
|
||||||
|
*/etc/fail2ban/fail2ban.conf* file must be at least as long as your '*findtime*'
|
||||||
|
parameter here so there's enough history for F2B to review!**
|
||||||
|
|
||||||
|
The entire point of this jail is to levy longer bantimes than ordinary jails
|
||||||
|
which generally use the default set in '*/etc/fail2ban/jail.conf*'.
|
||||||
|
Therefore, we explictly specify a time here, 3 days in this case:
|
||||||
|
|
||||||
|
```Ini
|
||||||
|
bantime = 259200
|
||||||
|
```
|
||||||
|
|
||||||
|
Finally, we need to let F2B know what filter to use when parsing it's own log
|
||||||
|
file. We'll use the *recidive* filter provided by F2B for exactly this purpose.
|
||||||
|
Since we are calling this filter from a jail with a different name (i.e. the
|
||||||
|
jail is not also called 'recidive'), we have to make that clear to the filter.
|
||||||
|
Finally, we also enable the jail.
|
||||||
|
|
||||||
|
```Ini
|
||||||
|
filter = recidive[_jailname="recidivist"]
|
||||||
|
enabled = true
|
||||||
|
```
|
||||||
|
|
||||||
## Final thoughts
|
## Final thoughts
|
||||||
|
|
||||||
Well, that's it. Fail2Ban will now monitor SSH intrusion attempts and will also
|
Well, that's it. Fail2Ban will now monitor SSH intrusion attempts and will also
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user