From: <tk...@em...> - 2014-04-21 08:37:33
|
I created a jail for CBLOCKS and although regex test pass not all IPs are added to CHAIN. Here are the details. Created a filter /etc/fail2ban/filter.d/ip-blacklist.conf # Fail2Ban Configuration File # # ip-blacklist.conf # # Author: Tom Keyser # Revision: 2014-04-19 # # Use this to read ip.blacklist and handle the CBLOCKs # # this is the format od the records in ip.blacklist #dd-mm-yyyy 00:00:01 - xxx.xxx.xxx.0 # comment why its blocked <- record format #16-04-2014 00:00:01 - 5.10.83.0 # static.reverse.softlayer.com #16-04-2014 00:00:01 - 180.76.6.0 # baiduspider [Definition] failregex = ^ - <HOST>.*$ ignoreregex = Also created an action definition to block all /24 /etc/fail2ban/action.d/iptables-allports24.conf [INCLUDES] before = iptables-blocktype.conf [Definition] # Option: actionstart # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # actionstart = iptables -N fail2ban-<name> iptables -A fail2ban-<name> -j RETURN iptables -I <chain> -p <protocol> -j fail2ban-<name> # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name> iptables -F fail2ban-<name> iptables -X fail2ban-<name> # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]' # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionban = iptables -I fail2ban-<name> 1 -s <ip>/24 -j <blocktype> # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionunban = iptables -D fail2ban-<name> -s <ip>/24 -j <blocktype> [Init] # Default name of the chain # name = default # Option: protocol # Notes.: internally used by config reader for interpolations. # Values: [ tcp | udp | icmp | all ] Default: tcp # protocol = tcp # Option: chain # Notes specifies the iptables chain to which the fail2ban rules should be # added # Values: STRING Default: INPUT chain = INPUT Here is the Jail defined [blacklist24] #blacklist all ports, all protocols, for entire CBLOCK enabled = true filter = ip-blacklist action = iptables-allports24[name=BLACKLIST24, protocol=all] # this file holds all the CBLOCKS we want to block logpath = /etc/fail2ban/ip.blacklist.v2 maxretry = 0 # find also slow bots that try to hide in the log files findtime = 432000 # forever bantime = -1 Here is the file to filter /etc/fail2ban/ip.blacklist.v2 dd-mm-yyyy 00:00:01 - xxx.xxx.xxx.0 # comment why its blocked <- record format 16-04-2014 00:00:01 - 5.10.83.0 # AhrefsBot 16-04-2014 00:00:01 - 180.76.6.0 # baiduspider 16-04-2014 00:00:01 - 180.76.5.0 # baiduspider 16-04-2014 00:00:01 - 183.207.228.0 # china 16-04-2014 00:00:01 - 123.125.71.0 # baiduspider 18-04-2014 00:00:01 - 220.181.108.0 # baiduspider 18-04-2014 00:00:01 - 119.63.196.0 # Baiduspider-image+ 19-04-2014 00:00:01 - 116.10.191.0 # china - ssh brute force attempts 20-04-2014 00:24:01 - 123.125.68.0 # baiduspider 20-04-2014 17:21:01 - 64.94.179.0 # lots of portscans from this block so lets make the block perm 20-04-2014 21:02:01 - 69.25.172.0 # lots of portscans from this block so lets make the block perm Here is the results of the regex test fail2ban-regex -v /etc/fail2ban/ip.blacklist.v2 /etc/fail2ban/filter.d/ip-blacklist.conf Running tests ============= Use failregex file : /etc/fail2ban/filter.d/ip-blacklist.conf Use log file : /etc/fail2ban/ip.blacklist.v2 Results ======= Failregex: 11 total |- #) [# of hits] regular expression | 1) [11] ^ - <HOST>.*$ | 5.10.83.0 Wed Apr 16 00:00:01 2014 | 180.76.6.0 Wed Apr 16 00:00:01 2014 | 180.76.5.0 Wed Apr 16 00:00:01 2014 | 183.207.228.0 Wed Apr 16 00:00:01 2014 | 123.125.71.0 Wed Apr 16 00:00:01 2014 | 220.181.108.0 Fri Apr 18 00:00:01 2014 | 119.63.196.0 Fri Apr 18 00:00:01 2014 | 116.10.191.0 Sat Apr 19 00:00:01 2014 | 123.125.68.0 Sun Apr 20 00:24:01 2014 | 64.94.179.0 Sun Apr 20 17:21:01 2014 | 69.25.172.0 Sun Apr 20 21:02:01 2014 `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [11] Day-Month-Year Hour:Minute:Second | [0] WEEKDAY MONTH Day Hour:Minute:Second[.subsecond] Year | [0] WEEKDAY MONTH Day Hour:Minute:Second Year | [0] WEEKDAY MONTH Day Hour:Minute:Second | [0] MONTH Day Hour:Minute:Second | [0] Year/Month/Day Hour:Minute:Second | [0] Day/Month/Year Hour:Minute:Second | [0] Day/Month/Year2 Hour:Minute:Second | [0] Day/MONTH/Year:Hour:Minute:Second | [0] Month/Day/Year:Hour:Minute:Second | [0] Year-Month-Day Hour:Minute:Second | [0] Year.Month.Day Hour:Minute:Second | [0] Day-MONTH-Year Hour:Minute:Second[.Millisecond] | [0] Month-Day-Year Hour:Minute:Second[.Millisecond] | [0] TAI64N | [0] Epoch | [0] ISO 8601 | [0] Hour:Minute:Second | [0] <Month/Day/Year@Hour:Minute:Second> | [0] YearMonthDay Hour:Minute:Second | [0] Month-Day-Year Hour:Minute:Second `- Lines: 12 lines, 0 ignored, 11 matched, 1 missed |- Missed line(s): | dd-mm-yyyy 00:00:01 - xxx.xxx.xxx.0 # comment why its blocked <- record format `- Here is what ends up in iptables CHAIN Chain fail2ban-BLACKLIST24 (1 references) target prot opt source destination REJECT all -- 64.94.179.0/24 anywhere reject-with icmp-port-unreachable REJECT all -- 69.25.172.0/24 anywhere reject-with icmp-port-unreachable REJECT all -- 220.181.108.0/24 anywhere reject-with icmp-port-unreachable REJECT all -- 116.10.191.0/24 anywhere reject-with icmp-port-unreachable REJECT all -- 123.125.68.0/24 anywhere reject-with icmp-port-unreachable REJECT all -- 119.63.196.0/24 anywhere reject-with icmp-port-unreachable RETURN all -- anywhere anywhere Im puzzled why only 6 of the 11 IP blocks show up in the CHAIN?? Any assistance would be helpful. Thanks in advance. |
From: <tk...@em...> - 2014-04-22 01:12:29
|
Found the solution to my problem. Findtime was to short. I set it to one year and it put all the IP blocks in the chain. Its not really a solution since in one year it will be skipping them again. How do I suggest a feature to have findtime -1, like bantime? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I created a jail for CBLOCKS and although regex test pass not all IPs are added to CHAIN. Here are the details. Created a filter /etc/fail2ban/filter.d/ip-blacklist.conf # Fail2Ban Configuration File # # ip-blacklist.conf # # Author: Tom Keyser # Revision: 2014-04-19 # # Use this to read ip.blacklist and handle the CBLOCKs # # this is the format od the records in ip.blacklist #dd-mm-yyyy 00:00:01 - xxx.xxx.xxx.0 # comment why its blocked #16-04-2014 00:00:01 - 5.10.83.0 # static.reverse.softlayer.com #16-04-2014 00:00:01 - 180.76.6.0 # baiduspider [Definition] failregex = ^ - .*$ ignoreregex = Also created an action definition to block all /24 /etc/fail2ban/action.d/iptables-allports24.conf [INCLUDES] before = iptables-blocktype.conf [Definition] # Option: actionstart # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # actionstart = iptables -N fail2ban- iptables -A fail2ban- -j RETURN iptables -I -p -j fail2ban- # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # actionstop = iptables -D -p -j fail2ban- iptables -F fail2ban- iptables -X fail2ban- # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # actioncheck = iptables -n -L | grep -q 'fail2ban-[ \t]' # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionban = iptables -I fail2ban- 1 -s /24 -j # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionunban = iptables -D fail2ban- -s /24 -j [Init] # Default name of the chain # name = default # Option: protocol # Notes.: internally used by config reader for interpolations. # Values: [ tcp | udp | icmp | all ] Default: tcp # protocol = tcp # Option: chain # Notes specifies the iptables chain to which the fail2ban rules should be # added # Values: STRING Default: INPUT chain = INPUT Here is the Jail defined [blacklist24] #blacklist all ports, all protocols, for entire CBLOCK enabled = true filter = ip-blacklist action = iptables-allports24[name=BLACKLIST24, protocol=all] # this file holds all the CBLOCKS we want to block logpath = /etc/fail2ban/ip.blacklist.v2 maxretry = 0 # find also slow bots that try to hide in the log files findtime = 432000 # forever bantime = -1 Here is the file to filter /etc/fail2ban/ip.blacklist.v2 dd-mm-yyyy 00:00:01 - xxx.xxx.xxx.0 # comment why its blocked 16-04-2014 00:00:01 - 5.10.83.0 # AhrefsBot 16-04-2014 00:00:01 - 180.76.6.0 # baiduspider 16-04-2014 00:00:01 - 180.76.5.0 # baiduspider 16-04-2014 00:00:01 - 183.207.228.0 # china 16-04-2014 00:00:01 - 123.125.71.0 # baiduspider 18-04-2014 00:00:01 - 220.181.108.0 # baiduspider 18-04-2014 00:00:01 - 119.63.196.0 # Baiduspider-image+ 19-04-2014 00:00:01 - 116.10.191.0 # china - ssh brute force attempts 20-04-2014 00:24:01 - 123.125.68.0 # baiduspider 20-04-2014 17:21:01 - 64.94.179.0 # lots of portscans from this block so lets make the block perm 20-04-2014 21:02:01 - 69.25.172.0 # lots of portscans from this block so lets make the block perm Here is the results of the regex test fail2ban-regex -v /etc/fail2ban/ip.blacklist.v2 /etc/fail2ban/filter.d/ip-blacklist.conf Running tests ============= Use failregex file : /etc/fail2ban/filter.d/ip-blacklist.conf Use log file : /etc/fail2ban/ip.blacklist.v2 Results ======= Failregex: 11 total |- #) [# of hits] regular expression | 1) [11] ^ - .*$ | 5.10.83.0 Wed Apr 16 00:00:01 2014 | 180.76.6.0 Wed Apr 16 00:00:01 2014 | 180.76.5.0 Wed Apr 16 00:00:01 2014 | 183.207.228.0 Wed Apr 16 00:00:01 2014 | 123.125.71.0 Wed Apr 16 00:00:01 2014 | 220.181.108.0 Fri Apr 18 00:00:01 2014 | 119.63.196.0 Fri Apr 18 00:00:01 2014 | 116.10.191.0 Sat Apr 19 00:00:01 2014 | 123.125.68.0 Sun Apr 20 00:24:01 2014 | 64.94.179.0 Sun Apr 20 17:21:01 2014 | 69.25.172.0 Sun Apr 20 21:02:01 2014 `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [11] Day-Month-Year Hour:Minute:Second | [0] WEEKDAY MONTH Day Hour:Minute:Second[.subsecond] Year | [0] WEEKDAY MONTH Day Hour:Minute:Second Year | [0] WEEKDAY MONTH Day Hour:Minute:Second | [0] MONTH Day Hour:Minute:Second | [0] Year/Month/Day Hour:Minute:Second | [0] Day/Month/Year Hour:Minute:Second | [0] Day/Month/Year2 Hour:Minute:Second | [0] Day/MONTH/Year:Hour:Minute:Second | [0] Month/Day/Year:Hour:Minute:Second | [0] Year-Month-Day Hour:Minute:Second | [0] Year.Month.Day Hour:Minute:Second | [0] Day-MONTH-Year Hour:Minute:Second[.Millisecond] | [0] Month-Day-Year Hour:Minute:Second[.Millisecond] | [0] TAI64N | [0] Epoch | [0] ISO 8601 | [0] Hour:Minute:Second | [0] | [0] YearMonthDay Hour:Minute:Second | [0] Month-Day-Year Hour:Minute:Second `- Lines: 12 lines, 0 ignored, 11 matched, 1 missed |- Missed line(s): | dd-mm-yyyy 00:00:01 - xxx.xxx.xxx.0 # comment why its blocked `- Here is what ends up in iptables CHAIN Chain fail2ban-BLACKLIST24 (1 references) target prot opt source destination REJECT all -- 64.94.179.0/24 anywhere reject-with icmp-port-unreachable REJECT all -- 69.25.172.0/24 anywhere reject-with icmp-port-unreachable REJECT all -- 220.181.108.0/24 anywhere reject-with icmp-port-unreachable REJECT all -- 116.10.191.0/24 anywhere reject-with icmp-port-unreachable REJECT all -- 123.125.68.0/24 anywhere reject-with icmp-port-unreachable REJECT all -- 119.63.196.0/24 anywhere reject-with icmp-port-unreachable RETURN all -- anywhere anywhere Im puzzled why only 6 of the 11 IP blocks show up in the CHAIN?? Any assistance would be helpful. Thanks in advance. |