Talk:Fail2ban

From SME Server
Jump to navigationJump to search

Proposed addition to "user contributions" section

Mmccarn (talk) 04:43, 19 August 2017 (CEST)

Note: these procedures get the files installed and allow fail2ban and fail2ban-subnets to run without any errors, but I don't know if fail2ban is actually working after making these changes...

Ban offending subnets

Holck found a reference to an add-on for fail2ban that bans subnets with repeated offences from multiple IPs.

"fail2ban-subnets aims to provide a way to ban subnets of IPs repeatingly banned by fail2ban for multiple offenses."

Prerequisites

Installation

mkdir -p ~/addons
cd ~/addons
git clone https://github.com/XaF/fail2ban-subnets.git
# mkdir -p /etc/fail2ban/action.d.local /etc/fail2ban/filter.d.local
cp ~/addons/fail2ban-subnets/action.d.local/iptables-subnet.conf /etc/fail2ban/action.d/iptables-subnet.local
cp ~/addons/fail2ban-subnets/filter.d.local/subnets.conf /etc/fail2ban/filter.d/subnets.local
cat ~/addons/fail2ban-subnets/jail.local >> /etc/fail2ban/jail.local
service fail2ban restart

Test

cd ~/addons/fail2ban-subnets
perl fail2ban-subnets.py

Activate hourly updates

cp ~/addons/fail2ban-subnets/fail2ban-subnets.py /etc/cron.hourly

Remove

# remove the custom action and filter
'rm' /etc/fail2ban/action.d/iptables-subnet.local
'rm' /etc/fail2ban/filter.d/subnets.local
#
# if you have other fail2ban custom jails you may need to edit /etc/fail2ban/jail.local
# otherwise, you can remove the entire file using
#
'rm' /etc/fail2ban/jail.local
#
# remove the hourly cron job
'rm' /etc/cron.hourly/fail2ban-subnets.py
#
# restart fail2ban
signal-event fail2ban-conf
service fail2ban restart


Proposed update for the checklist_ban script

Mmccarn (talk) 14:54, 7 May 2017 (CEST)

#!/bin/bash
#lancer le script en sudo
echo -e "Jail            failed / banned"     

JAILS=$(fail2ban-client status | grep " Jail list:" | sed 's/`- Jail list://g' | sed 's/,//g')
for j in $JAILS
do
jail="$j                    "
failed=$(fail2ban-client status $j | grep " Currently failed:" | sed 's/[^0-9]*//')
banned=$(fail2ban-client status $j | grep " Currently banned:" | sed 's/[^0-9]*//')
echo -e "${jail:0:20} $failed / $banned"
done


Fine. Usually I'm told to put forum stuff into the wiki. Bound to happen the other way around. Have appended to the thread that 'tried' to point to the unwanted piece in the wiki.


@Piran: don't take comments personally to quickly. HFW just pointed out that to keep the wiki readable it needs some style (see: Wiki Manual of Style). I've added the most important parts to the page, the rest i would keep as your personal notes.