Configure Fail2Ban for permanent and persistent bans

If you’re running server, you probably know its exposed services are constantly being probed and attacks are being attempted against it. Fortunately, an extremely useful, nice and nifty tool is here to help: Fail2Ban.

Fail2Ban scans service’s log files for patterns defined as regular expressions and, if an offending pattern is found a certain number of times within a given time frame, the corresponding source IP is banned for a configurable time, using local firewall rules such as iptables.

In this article I will show you how to add two simple lines in Fail2Ban configuration file in order to add persistency across restart.

In a typical installation, Fail2ban configuration files are stored in the /etc/fail2ban/ directory. There’s only two files that needs slight modifications:

  • jail.conf : it’s the main file defining default options and behavior for so called jails, that is for each service monitored, the definition of log file, detection patterns (filters), actions, timers (findtime, max retry, bantime).
  • action.d/iptables-multiport.conf : iptables-multiport is the default action performed by Fail2Ban when an IP is to be banned (or jailed), as defined in the jail.conf configuration file. If you’ve changed the default action, then you’ll have to modify the corresponding action file accordingly.

Configure permanent bans

This is the easiest part. Ban time can be set either globally (ie: for all jails), or per jail. It is controlled through the ‘bantime‘ parameter which defines the number of seconds an IP is banned.

To set a permanent ban, simply set the bantime parameter to a value of -1. Edit the jail.conf file, comment out the existing ‘bantime’ line, and set a new bantime to -1 :

# "bantime" is the number of seconds that a host is banned.
# bantime  = 600
 
# Permanent ban
bantime = -1

Configure persistent bans

In order for bans to persist across a service restart, they obviously have to be saved somewhere. No fancy database required, a simple text file will do the trick.

The principle is simple: every time Fail2Ban sets a new ban on an IP, we’ll save the information « jail name and IP address » in a file along the way. Next, upon each Fail2Ban service start, we’ll load this file a re-create the corresponding bans. All it takes is two lines in the right configuration file.

Each ban action is defined in a corresponding configuration file. Within this file, there’s two parameters we’re interested in:

  1. actionstart : here we can define a list of commands that will be executed only once at the start of Fail2Ban. So we’ll add a custom command loading the file /etc/fail2ban/persistent.bans and re-create the corresponding iptables entries.
  2. actionban : here we can defined a list of commands that will be executed when banning an IP. So we’ll add a custom command to save the useful information to the file /etc/fail2ban/persistent.bans.

The default action in Fail2Ban is iptables-multiport (as defined in the file jail.conf), so we have to edit the action.d/iptables-multiport.conf file and add the following highlighted lines:

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified by Yaroslav Halchenko for multiport banning
#

[INCLUDES]

before = iptables-common.conf

[Definition]

# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = <iptables> -N f2b-<name>
              <iptables> -A f2b-<name> -j <returntype>
              <iptables> -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
              cat /etc/fail2ban/persistent.bans | awk '/^f2b-<name>/ {print $2}' | while read IP; do iptables -I f2b-<name> 1 -s $IP -j <blocktype>; done

# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
<iptables> -F f2b-<name>
<iptables> -X f2b-<name>

# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'

# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
            echo "f2b-<name> <ip>" >> /etc/fail2ban/persistent.bans

# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>

[Init]

Leave a Reply

Your email address will not be published. Required fields are marked *

20 + = 26