From: Mitch C. <mit...@cl...> - 2013-07-23 01:39:58
|
I'd like to create a jail with an escalating ban period by IP address. The initial ban would start at N seconds. If the same IP matched that jail within X seconds after the unban, then it would get banned again for Y seconds, etc, etc. Ideally there would be an unlimited number of escalation levels, each defined in the jail parameters. I could live with 3 levels of escalation. Is there any facility in fail2ban for this? -- Mitch |
From: Yehuda K. <ye...@ym...> - 2013-07-23 02:32:23
|
Yes. You could set up multiple jails like this: http://stuffphilwrites.com/2013/03/permanently-ban-repeat-offenders-fail2ban/ - Y On Mon, Jul 22, 2013 at 9:23 PM, Mitch Claborn <mit...@cl...> wrote: > I'd like to create a jail with an escalating ban period by IP address. > The initial ban would start at N seconds. If the same IP matched that > jail within X seconds after the unban, then it would get banned again > for Y seconds, etc, etc. Ideally there would be an unlimited number of > escalation levels, each defined in the jail parameters. I could live > with 3 levels of escalation. > > Is there any facility in fail2ban for this? > > > -- > > Mitch > > > > ------------------------------------------------------------------------------ > See everything from the browser to the database with AppDynamics > Get end-to-end visibility with application monitoring from AppDynamics > Isolate bottlenecks and diagnose root cause in seconds. > Start your free trial of AppDynamics Pro today! > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > |
From: Daniel B. <dan...@in...> - 2013-07-23 03:20:09
|
On 23/07/13 11:23, Mitch Claborn wrote: > I'd like to create a jail with an escalating ban period by IP address. > The initial ban would start at N seconds. If the same IP matched that > jail within X seconds after the unban, then it would get banned again > for Y seconds, etc, etc. Ideally there would be an unlimited number of > escalation levels, each defined in the jail parameters. I could live > with 3 levels of escalation. > > Is there any facility in fail2ban for this? > also see the recidive.conf filter. |
From: Amir C. <ce...@3p...> - 2013-07-23 04:24:46
|
On Jul 22, 2013, at 9:19 PM, Daniel Black <dan...@in...> wrote: > also see the recidive.conf filter. I think this method is easier than the one to which Yehuda linked, especially since it is basically built in... and the nice thing is that it bans repeat offenders across ALL jails... that is, if an IP is banned on ssh once, proftp once, and apache once, that counts as three repeat bans for recidive, but the method to which Yehuda linked won't catch it as a repeater. You could create a "recidive2" filter, which looks for recidive bans in the fail2ban log... so, for example, recidive would ban repeaters for (say) a week, and recidive2 would ban repeat-repeaters for a year (or whatever). You could make as many levels of recidive filters as you wanted, though each would require a separate jail. Note that ban periods of longer than a month may not be useful depending on the stability of your server... unless it has changed recently, the ban list is lost upon reboot. Hope this helps. --- Amir |
From: Daniel B. <dan...@in...> - 2013-07-23 07:28:28
|
On 23/07/13 13:32, Amir Caspi wrote: > On Jul 22, 2013, at 9:19 PM, Daniel Black <dan...@in...> wrote: > >> also see the recidive.conf filter. > > I think this method is easier than the one to which Yehuda linked, especially since it is basically built in... and the nice thing is that it bans repeat offenders across ALL jails... that is, if an IP is banned on ssh once, proftp once, and apache once, that counts as three repeat bans for recidive, but the method to which Yehuda linked won't catch it as a repeater. > > You could create a "recidive2" filter, which looks for recidive bans in the fail2ban log... so, for example, recidive would ban repeaters for (say) a week, and recidive2 would ban repeat-repeaters for a year (or whatever). You could make as many levels of recidive filters as you wanted, though each would require a separate jail. I wouldn't do more than one. The recidive looks at the fail2ban and excludes itself. This means that two recidive filters will interfear with each other though you could add to the ignoreregex i believe to solve this (different jail name). |
From: Amir 'C. C. <ce...@3p...> - 2013-07-23 16:48:55
|
On Tue, July 23, 2013 1:28 am, Daniel Black wrote: > I wouldn't do more than one. The recidive looks at the fail2ban and > excludes itself. This means that two recidive filters will interfear > with each other though you could add to the ignoreregex i believe to > solve this (different jail name). Yes, as I mentioned in my prior email, you would have to use a different jail name and modify the failregex and ignoreregex for proper functioning. For example, you could have a "short" recidive filter (basically the usual one), which looks for repeat offenders who hit three times within the last day, and a "long" recidive filter, which looks for those who have hit the recidive ban 3 times in the last 2 months (or whatever)... for this, you'd have the following in your jail.conf: [recidive-short] enabled = true filter = recidive-short action = iptables-allports[name=RECIDIVE] sendmail-whois-lines[name=RECIDIVE, dest=root, sender=fai...@ma..., logpath=/var/log/fail2ban.log] logpath = /var/log/fail2ban.log maxretry = 3 # Find-time: 1 day findtime = 86400 # Ban-time: 1 week bantime = 604800 [recidive-long] enabled = true filter = recidive-long action = iptables-allports[name=RECIDIVELONG] sendmail-whois-lines[name=RECIDIVELONG, dest=root, sender=fai...@ma..., logpath=/var/log/fail2ban.log] logpath = /var/log/fail2ban.log maxretry = 3 # Find-time: 60 days findtime = 5184000 # Ban-time: 1 year bantime = 31536000 Then, you have the following two filters in filters.d: recidive-short.conf (basically a copy of recidive.conf but modified as follows): [Definition] # Looks for ANY bans failregex = fail2ban.actions:\s+WARNING\s+\[(.*)\]\s+Ban\s+<HOST> # But ignore bans by the recidive jails ignoreregex = fail2ban.actions:\s+WARNING\s+\[(recidive(.*))\]\s+Ban\s+<HOST> recidive-long.conf (also a modified version of recidive): [Definition] # Look only for bans by the recidive-short jail failregex = fail2ban.actions:\s+WARNING\s+\[(recidive-short)\]\s+Ban\s+<HOST> # Ignore self-bans from recidive-long ignoreregex = fail2ban.actions:\s+WARNING\s+\[(recidive-long)\]\s+Ban\s+<HOST> This should work for your needs. You can repeat the nesting as much as you like, as long as the filter regexes (both the match and ignore regexes) are appropriately modified. Cheers. --- Amir |
From: Mitch C. <mit...@cl...> - 2013-07-24 14:36:07
|
I have version 0.8.6-3wheezy2build0.12.04.1 installed. Will the recidive filter work with that version, or must I install a later version? Mitch On 07/23/2013 11:48 AM, Amir 'CG' Caspi wrote: > On Tue, July 23, 2013 1:28 am, Daniel Black wrote: >> I wouldn't do more than one. The recidive looks at the fail2ban and >> excludes itself. This means that two recidive filters will interfear >> with each other though you could add to the ignoreregex i believe to >> solve this (different jail name). > > Yes, as I mentioned in my prior email, you would have to use a different > jail name and modify the failregex and ignoreregex for proper functioning. > For example, you could have a "short" recidive filter (basically the > usual one), which looks for repeat offenders who hit three times within > the last day, and a "long" recidive filter, which looks for those who have > hit the recidive ban 3 times in the last 2 months (or whatever)... for > this, you'd have the following in your jail.conf: > > [recidive-short] > > enabled = true > filter = recidive-short > action = iptables-allports[name=RECIDIVE] > sendmail-whois-lines[name=RECIDIVE, dest=root, > sender=fai...@ma..., logpath=/var/log/fail2ban.log] > logpath = /var/log/fail2ban.log > maxretry = 3 > # Find-time: 1 day > findtime = 86400 > # Ban-time: 1 week > bantime = 604800 > > > [recidive-long] > > enabled = true > filter = recidive-long > action = iptables-allports[name=RECIDIVELONG] > sendmail-whois-lines[name=RECIDIVELONG, dest=root, > sender=fai...@ma..., logpath=/var/log/fail2ban.log] > logpath = /var/log/fail2ban.log > maxretry = 3 > # Find-time: 60 days > findtime = 5184000 > # Ban-time: 1 year > bantime = 31536000 > > > Then, you have the following two filters in filters.d: > > recidive-short.conf (basically a copy of recidive.conf but modified as > follows): > [Definition] > # Looks for ANY bans > failregex = fail2ban.actions:\s+WARNING\s+\[(.*)\]\s+Ban\s+<HOST> > # But ignore bans by the recidive jails > ignoreregex = fail2ban.actions:\s+WARNING\s+\[(recidive(.*))\]\s+Ban\s+<HOST> > > > recidive-long.conf (also a modified version of recidive): > [Definition] > # Look only for bans by the recidive-short jail > failregex = fail2ban.actions:\s+WARNING\s+\[(recidive-short)\]\s+Ban\s+<HOST> > # Ignore self-bans from recidive-long > ignoreregex = > fail2ban.actions:\s+WARNING\s+\[(recidive-long)\]\s+Ban\s+<HOST> > > > This should work for your needs. You can repeat the nesting as much as > you like, as long as the filter regexes (both the match and ignore > regexes) are appropriately modified. > > Cheers. > > --- Amir > > > ------------------------------------------------------------------------------ > See everything from the browser to the database with AppDynamics > Get end-to-end visibility with application monitoring from AppDynamics > Isolate bottlenecks and diagnose root cause in seconds. > Start your free trial of AppDynamics Pro today! > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > |
From: Amir 'C. C. <ce...@3p...> - 2013-07-24 15:13:39
|
At 9:35 AM -0500 07/24/2013, Mitch Claborn wrote: >I have version 0.8.6-3wheezy2build0.12.04.1 installed. Will the recidive >filter work with that version, or must I install a later version? I don't know if recidive is distributed in the 0.8.6 package, but if not, you can certainly creaite it yourself (with the info I've provided in the previous email, which is basically all you need). It will work just fine with pretty much any version of fail2ban, as long as fail2ban is set to log its actions. Note that my examples assume fail2ban is logging to its own log... if fail2ban is logging to syslog or somewhere else, instead of its own log, you'll need to change the info in jail.conf appropriately (to have the recidive filters looking wherever fail2ban is logging). Hope this helps. --- Amir |