Scratch pad with conf files to configure Fail2ban on Debian 9
This setup will configure Fail2ban to monitor SSH and keep track of the bad guys. Every time an IP gets banned, it will be stored in
/etc/fail2ban/ip.blacklist .
This files gets processed every time Fail2ban restarts.
A cron will sanitise the file daily.
HOW TO
1) Create a custom action file: /etc/fail2ban/action.d/iptables-allports-CUSTOM.conf
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 |
# Fail2Ban configuration file [INCLUDES] before = iptables-common.confhttps://docs.google.com/document/d/1DjP5z7tvkaMWJMZXVAnMOCgfynfQNHvRkqJyxQdEB84/edit?usp=sharing [Definition] # Option: actionstart # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # actionstart = <iptables> -N f2b-<name> <iptables> -A f2b-<name> -j <returntype> <iptables> -I <chain> -p <protocol> -j f2b-<name> # Persistent banning of IPs cat /etc/fail2ban/ip.blacklist | grep -v ^\s*#|awk '{print $1}' | while read IP; do <iptables> -I f2b-<name> 1 -s $IP -j DROP; done # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # actionstop = <iptables> -D <chain> -p <protocol> -j f2b-<name> <iptables> -F f2b-<name> <iptables> -X f2b-<name> # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]' # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype> # Persistent banning of IPs echo '<ip>' >> /etc/fail2ban/ip.blacklist # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype> [Init] |
2) Create /etc/fail2ban/jail.local
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
# Fail2Ban custom configuration file. [DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host ignoreip = 127.0.0.1 192.168.1.0/24 192.168.2.0/24 # Ban forever => -1 #bantime=-1 # Ban 3 days => 259200 bantime = 259200 # A host is banned if it has generated "maxretry" during the last "findtime" seconds. findtime = 30 banaction = iptables-allports-CUSTOM [sshd] enabled = true filter = sshd logfile = /var/log/auth.log maxretry = 3 |
3) Remove the default debian jail configuration (is integrated in the above custom jail.local file):
|
1 |
rm -f /etc/fail2ban/jail.d/defaults-debian.conf |
4) Set this cron:
|
1 2 |
# Daily rotate of ip.blacklist 0 20 * * * tail -100 /etc/fail2ban/ip.blacklist | sort | uniq > /tmp/ip.blacklist ; cat /tmp/ip.blacklist > /etc/fail2ban/ip.blacklist ; rm -f /tmp/ip.blacklist > /dev/null 2>&1 |
5) Run the cron manually once, just to be sure all works AND to have an empty file
6) Restart Fail2ban … and good luck 😉