Added section for recidivist jail
This commit is contained in:
Asif Bacchus
parent
57c4524578
commit
8f07b5810a
57
README.md
57
README.md
@ -24,6 +24,7 @@
|
||||
- [Jail-specific settings](#jail-specific-settings)
|
||||
- [The UFW filter regex (/etc/fail2ban/filter.d/ufw-probe.conf)](#the-ufw-filter-regex-etcfail2banfilterdufw-probeconf)
|
||||
- [The action file (/etc/fail2ban/action.d/ufw.conf)](#the-action-file-etcfail2banactiondufwconf)
|
||||
- [Repeat offenders](#repeat-offenders)
|
||||
- [Final thoughts](#final-thoughts)
|
||||
|
||||
## Overview
|
||||
@ -376,6 +377,62 @@ otherwise defined (i.e. allowed) traffic.
|
||||
|
||||
The '*actionunban*' simply deletes the rule to remove the block.
|
||||
|
||||
## Repeat offenders
|
||||
|
||||
In some cases, the same systems will continue probing your system even after
|
||||
being banned several times. I choose to call these '*recidivists*' and setup a
|
||||
special jail for them.
|
||||
|
||||
The *recidivist jail* scans the *fail2ban* log to search for systems that have
|
||||
been issued a certain threshold number of bans already. If any are found, they
|
||||
are issued a longer-term ban. Let's go though the configuration:
|
||||
|
||||
The beginning of the file should already be familiar to you along with the fact
|
||||
that the '*ignoreip*' parameter is optional.
|
||||
|
||||
Remember that we are searching for repeat offenders. In other words, they have
|
||||
already been issued a ban by F2B so their IP will already appear in F2B's log,
|
||||
which is why we are searching that file.
|
||||
|
||||
```Ini
|
||||
logpath = /var/log/fail2ban.log
|
||||
```
|
||||
|
||||
Timeframes here present a bit of a twist in thinking. In this case,
|
||||
'*maxretry*' refers to how many previous bans have been issued in '*findtime*'
|
||||
period.
|
||||
|
||||
```Ini
|
||||
maxretry = 3
|
||||
findtime = 86400
|
||||
```
|
||||
|
||||
In this example, I'm saying that if a particular host has already been banned 3
|
||||
times in the last 24 hours (86400 seconds), then they need to be put in this
|
||||
jail! You should adjust these values to reflect your tolerance levels for
|
||||
repeat offenders. **Note: The '*dbpurgeage*' you specified in your
|
||||
*/etc/fail2ban/fail2ban.conf* file must be at least as long as your '*findtime*'
|
||||
parameter here so there's enough history for F2B to review!**
|
||||
|
||||
The entire point of this jail is to levy longer bantimes than ordinary jails
|
||||
which generally use the default set in '*/etc/fail2ban/jail.conf*'.
|
||||
Therefore, we explictly specify a time here, 3 days in this case:
|
||||
|
||||
```Ini
|
||||
bantime = 259200
|
||||
```
|
||||
|
||||
Finally, we need to let F2B know what filter to use when parsing it's own log
|
||||
file. We'll use the *recidive* filter provided by F2B for exactly this purpose.
|
||||
Since we are calling this filter from a jail with a different name (i.e. the
|
||||
jail is not also called 'recidive'), we have to make that clear to the filter.
|
||||
Finally, we also enable the jail.
|
||||
|
||||
```Ini
|
||||
filter = recidive[_jailname="recidivist"]
|
||||
enabled = true
|
||||
```
|
||||
|
||||
## Final thoughts
|
||||
|
||||
Well, that's it. Fail2Ban will now monitor SSH intrusion attempts and will also
|
||||
|
||||
Loading…
Reference in New Issue
Block a user