software:fail2ban:blacklist
Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
software:fail2ban:blacklist [2019/08/13 01:44] – created rodolico | software:fail2ban:blacklist [2019/08/17 20:21] (current) – rodolico | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Blacklist IP's from a file ====== | ====== Blacklist IP's from a file ====== | ||
- | fail2ban is designed to dynamically watch logs and ban/unban IP's with bad reputations. However, with a little sneakiness, it can be abused to also load a list of permenantly | + | fail2ban is designed to dynamically watch logs and ban/unban IP's with bad reputations. However, with a little sneakiness, it can be abused to also load a list of permanently |
- | First, we need to create an action, a file to be placed in action.d. I named it blacklistip.conf, | + | Basically, we create a custom action which creates its own chain (under fail2ban' |
+ | |||
+ | We'll create three files, and add a block to jail.local | ||
+ | - list of IP's or subnets, one entry per line | ||
+ | - action file to be stored in actions.d/ | ||
+ | - dummy filter file to be stored in filters.d/ | ||
+ | - modify jail.local | ||
+ | |||
+ | ===== Blacklist File ===== | ||
+ | |||
+ | This is a basic text file with one IP or subnet per line. I store mine in / | ||
+ | |||
+ | <file text ip.blacklist> | ||
+ | 172.104.94.112 | ||
+ | 190.40.235.20 | ||
+ | 190.4.51.122 | ||
+ | 210.186.135.78 | ||
+ | 39.45.148.16 | ||
+ | 193.93.16.14 | ||
+ | 93.174.93.0/ | ||
+ | </ | ||
+ | |||
+ | ===== Action file ===== | ||
+ | Now, we need to create an action, a file to be placed in action.d. I named it blacklistip.conf, | ||
<code conf action.d/ | <code conf action.d/ | ||
Line 38: | Line 61: | ||
# taken directly from the multiport ban script, with the last line | # taken directly from the multiport ban script, with the last line | ||
# inserted to load the IP file | # inserted to load the IP file | ||
+ | # creates a chain, then loads all the IP's into it | ||
actionstart = < | actionstart = < | ||
< | < | ||
Line 45: | Line 69: | ||
# these actions are taken when fail2ban is shut down | # these actions are taken when fail2ban is shut down | ||
- | # | + | # basically, destroys the chain |
actionstop = < | actionstop = < | ||
< | < | ||
Line 58: | Line 82: | ||
</ | </ | ||
- | Now, | + | ===== Filter ===== |
+ | |||
+ | Now, we need a filter, because we are abusing fail2ban. fail2ban assumes you're going to be parsing a log file to find bad guys attacking you, but we already know who we want to block. So, we create a dummy and store it in filter.d/ | ||
+ | |||
+ | < | ||
+ | |||
+ | to our jail if we do. This is simpler. | ||
<file conf filter.d/ | <file conf filter.d/ | ||
Line 78: | Line 108: | ||
</ | </ | ||
- | Finally, add the following block to jail.local | + | ===== Modify jail.local ===== |
+ | |||
+ | jail.local (in the root of the fail2ban configuration directory) is the place to make local modifications. So, we need to add the following block to it. This basically defines a jail named // | ||
+ | |||
+ | The action is specifically defined to be blacklistip (ie, action.d/ | ||
<code conf> | <code conf> | ||
[blacklistip] | [blacklistip] | ||
enabled = true | enabled = true | ||
+ | bantime = -1 | ||
action = blacklistip[name=blacklistip, | action = blacklistip[name=blacklistip, | ||
</ | </ | ||
+ | |||
+ | ===== Test it ===== | ||
+ | |||
+ | Restart fail2ban, then run the following command as root. | ||
+ | |||
+ | <code bash> | ||
+ | |||
+ | You should see a list of all the banned IP's, with an action of drop. And, when you stop fail2ban, it will clean them up also. | ||
+ | |||
+ | ===== Convenience Script ===== | ||
+ | |||
+ | As it stands, to add a new IP to the blacklist, you must add it to the blacklist IP file, then restart fail2ban. A better option is to use fail2ban-client, | ||
+ | - Add IP to the blacklist file | ||
+ | - blacklist the IP vai fail2ban-client while the system is running | ||
+ | |||
+ | <code perl blacklistIP> | ||
+ | #! / | ||
+ | |||
+ | use strict; | ||
+ | use warnings; | ||
+ | |||
+ | my $IP = shift; | ||
+ | my $JAIL=' | ||
+ | my $BLACKLIST='/ | ||
+ | my $FAIL2BAN_CLIENT = '/ | ||
+ | |||
+ | |||
+ | |||
+ | if ( $IP && $IP =~ m/ | ||
+ | open BANNED, ">> | ||
+ | print BANNED " | ||
+ | close BANNED; | ||
+ | | ||
+ | } else { | ||
+ | print " | ||
+ | } | ||
+ | |||
+ | 1; | ||
+ | </ | ||
+ | |||
+ | |||
+ | ===== Deficiencies ===== | ||
+ | |||
+ | * Actually, this should be done on the router, since it will use some memory and processor on your server. Also, there is no way to dynamically add/remove IP's. You must modify the file, then restart fail2ban. | ||
+ | * The blacklist file should really have a date/time stamp on each entry so you can clean it up based on how long ago something was added. I have stuff in my blacklist file from several years ago, and they have probably been cleaned up since. This could be done by adding a delimiter (colons are common) to separate it into fields. I may do that soon. | ||
+ | * It would be nice to have an optional comment also. | ||
+ | * It would be nice to be able to do something like " | ||
+ | |||
+ | ===== Links ===== | ||
+ | |||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | |||
+ |
software/fail2ban/blacklist.txt · Last modified: 2019/08/17 20:21 by rodolico