Added section for recidivist jail

This commit is contained in:
Asif Bacchus 2018-09-30 01:44:21 -06:00
parent 57c4524578
commit 8f07b5810a

View File

@ -5,25 +5,26 @@
- [Overview](#overview) - [Overview](#overview)
- [Installing an up-to-date Fail2Ban version](#installing-an-up-to-date-fail2ban-version) - [Installing an up-to-date Fail2Ban version](#installing-an-up-to-date-fail2ban-version)
- [Customizing your set up](#customizing-your-set-up) - [Customizing your set up](#customizing-your-set-up)
- [/etc/fail2ban/fail2ban.conf](#etcfail2banfail2banconf) - [/etc/fail2ban/fail2ban.conf](#etcfail2banfail2banconf)
- [loglevel](#loglevel) - [loglevel](#loglevel)
- [logtarget](#logtarget) - [logtarget](#logtarget)
- [dbpurgeage](#dbpurgeage) - [dbpurgeage](#dbpurgeage)
- [/etc/fail2ban/jail.local](#etcfail2banjaillocal) - [/etc/fail2ban/jail.local](#etcfail2banjaillocal)
- [ignoreip](#ignoreip) - [ignoreip](#ignoreip)
- [Timeframes](#timeframes) - [Timeframes](#timeframes)
- [Actions](#actions) - [Actions](#actions)
- [Notication options](#notication-options) - [Notication options](#notication-options)
- [Shortcuts](#shortcuts) - [Shortcuts](#shortcuts)
- [Jails](#jails) - [Jails](#jails)
- [sshd (/etc/fail2ban/jail.d/ssh.conf)](#sshd-etcfail2banjaildsshconf) - [sshd (/etc/fail2ban/jail.d/ssh.conf)](#sshd-etcfail2banjaildsshconf)
- [UFW port probing](#ufw-port-probing) - [UFW port probing](#ufw-port-probing)
- [Name of the jail](#name-of-the-jail) - [Name of the jail](#name-of-the-jail)
- [Ports and IPs](#ports-and-ips) - [Ports and IPs](#ports-and-ips)
- [Timeframes](#timeframes) - [Timeframes](#timeframes)
- [Jail-specific settings](#jail-specific-settings) - [Jail-specific settings](#jail-specific-settings)
- [The UFW filter regex (/etc/fail2ban/filter.d/ufw-probe.conf)](#the-ufw-filter-regex-etcfail2banfilterdufw-probeconf) - [The UFW filter regex (/etc/fail2ban/filter.d/ufw-probe.conf)](#the-ufw-filter-regex-etcfail2banfilterdufw-probeconf)
- [The action file (/etc/fail2ban/action.d/ufw.conf)](#the-action-file-etcfail2banactiondufwconf) - [The action file (/etc/fail2ban/action.d/ufw.conf)](#the-action-file-etcfail2banactiondufwconf)
- [Repeat offenders](#repeat-offenders)
- [Final thoughts](#final-thoughts) - [Final thoughts](#final-thoughts)
## Overview ## Overview
@ -376,6 +377,62 @@ otherwise defined (i.e. allowed) traffic.
The '*actionunban*' simply deletes the rule to remove the block. The '*actionunban*' simply deletes the rule to remove the block.
## Repeat offenders
In some cases, the same systems will continue probing your system even after
being banned several times. I choose to call these '*recidivists*' and setup a
special jail for them.
The *recidivist jail* scans the *fail2ban* log to search for systems that have
been issued a certain threshold number of bans already. If any are found, they
are issued a longer-term ban. Let's go though the configuration:
The beginning of the file should already be familiar to you along with the fact
that the '*ignoreip*' parameter is optional.
Remember that we are searching for repeat offenders. In other words, they have
already been issued a ban by F2B so their IP will already appear in F2B's log,
which is why we are searching that file.
```Ini
logpath = /var/log/fail2ban.log
```
Timeframes here present a bit of a twist in thinking. In this case,
'*maxretry*' refers to how many previous bans have been issued in '*findtime*'
period.
```Ini
maxretry = 3
findtime = 86400
```
In this example, I'm saying that if a particular host has already been banned 3
times in the last 24 hours (86400 seconds), then they need to be put in this
jail! You should adjust these values to reflect your tolerance levels for
repeat offenders. **Note: The '*dbpurgeage*' you specified in your
*/etc/fail2ban/fail2ban.conf* file must be at least as long as your '*findtime*'
parameter here so there's enough history for F2B to review!**
The entire point of this jail is to levy longer bantimes than ordinary jails
which generally use the default set in '*/etc/fail2ban/jail.conf*'.
Therefore, we explictly specify a time here, 3 days in this case:
```Ini
bantime = 259200
```
Finally, we need to let F2B know what filter to use when parsing it's own log
file. We'll use the *recidive* filter provided by F2B for exactly this purpose.
Since we are calling this filter from a jail with a different name (i.e. the
jail is not also called 'recidive'), we have to make that clear to the filter.
Finally, we also enable the jail.
```Ini
filter = recidive[_jailname="recidivist"]
enabled = true
```
## Final thoughts ## Final thoughts
Well, that's it. Fail2Ban will now monitor SSH intrusion attempts and will also Well, that's it. Fail2Ban will now monitor SSH intrusion attempts and will also