====== Use Fail2Ban on GNU/Linux to block botnet's attacks ======

Synchronet now have a built-in support to block incomming connections (see [[howto:block-hackers|Blocking "Hackers"]]) but it's feature protect SBBS services only (which in most cases is sufficient). 

If you running another services/daemons on same server, you can use [[http://fail2ban.org|Fail2Ban]] and to block at firewall level the ip address from the attacker.

You must config and setup the sbbs log file that are explained here: [[config:nix|UNIX]]

//NOTE: These examples where made on Debian GNU/Linux, but you can adjust and apply for another distribution like Ubuntu, Arch, Fedora, etc.
//

First step, install fail2ban package:

<code>
apt-get install fail2ban
</code>

Create the file /etc/fail2ban/jail.d/sbbs.conf
<code>
[sbbs-main]
enabled  = true
filter   = sbbs-main
action   = iptables-allports[name=SBBS-main, protocol=all]
logpath  = /var/log/sbbs.log
maxretry = 3
findtime = 21600
bantime = 21600

[sbbs-ddos]
enabled  = true
filter   = sbbs-ddos
action   = iptables-allports[name=SBBS-ddos, protocol=all]
logpath  = /var/log/sbbs.log
maxretry = 8
findtime = 600
bantime = 21600

[sbbs-hack]
enabled  = true
filter   = sbbs-hack
action   = iptables-allports[name=SBBS-hack, protocol=all]
logpath  = /sbbs/data/hack.log
maxretry = 3
findtime = 21600
bantime = 21600

[sbbs-smtp]
enabled  = true
filter   = sbbs-smtp
action   = iptables-allports[name=SBBS-smtp, protocol=all]
logpath  = /var/log/sbbs.log
maxretry = 3
findtime = 21600
bantime = 21600

[sbbs-spam]
enabled  = true
filter   = sbbs-spam
action   = iptables-allports[name=SBBS-spam, protocol=all]
logpath  = /sbbs/data/spam.log
maxretry = 3
findtime = 21600
bantime = 21600


</code>

Create the filter file /etc/fail2ban/filter.d/sbbs-main.conf
<code>
[INCLUDES]
before = common.conf

[Definition]
failregex = Bad password from: <HOST>
            Throttling suspicious connection from: <HOST>
ignoreregex =
</code>

Filter for ddos (/etc/fail2ban/filter.d/sbbs-ddos.conf)
<code>
[INCLUDES]
before = common.conf

[Definition]
failregex = !Maximum concurrent connections without login (.*) reached from host: <HOST>
ignoreregex =
</code>

Filter for hack.log (/etc/fail2ban/filter.d/sbbs-hack.conf)
<code>
[INCLUDES]
before = common.conf
[Init]
maxlines=6
[Definition]
failregex = ^SUSPECTED FTP HACK ATTEMPT from .* on .* \nUsing port .* at .* \[<HOST>\]\nDetails: .* \n
ignoreregex =
</code>

Filter for smtp (/etc/fail2ban/filter.d/sbbs-smtp.conf)
<code>
[INCLUDES]
before = common.conf
[Definition]
failregex = .* !TEMPORARY BAN of .* <HOST> .*
            SMTP BLACKLISTED SERVER on .* \(.*\)\: .* \[<HOST>\]
            ^.*\[<HOST>\].*\!TEMPORARY BAN.*$
ignoreregex =
</code>

Filter for spam (/etc/fail2ban/filter.d/sbbs-spam.conf)
<code>
[INCLUDES]
before = common.conf
[Definition]
failregex = SMTP BLACKLISTED SERVER on .* \(.*\)\: .* \[<HOST>\]
            Host\: .* \[<HOST>\]
ignoreregex =
</code>

Reload or restart the service and verify if you jail is loaded:
<code>

# fail2ban-client status
Status
|- Number of jail:	7
`- Jail list:	asterisk, nginx-botsearch, *sbbs-hack, *sbbs-main, *sbbs-smtp, *sbbs-spam, *sbbs-ddos, sshd

</code>
(*) your sbbs active jail's

After some time, you can observe via iptables that severals ip address was blocked

<code>
# iptables -L -n 

Chain fail2ban-SBBS-main (1 references)
target     prot opt source               destination         
REJECT     all  --  49.64.51.116         0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  187.161.208.161      0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  190.130.22.81        0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  94.123.59.80         0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  118.175.228.237      0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  220.240.252.176      0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  71.248.179.3         0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  185.29.71.147        0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  201.69.90.121        0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  78.186.210.14        0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  117.247.90.134       0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  37.130.109.12        0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  189.110.122.99       0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  24.70.18.200         0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  112.164.94.30        0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  37.109.137.13        0.0.0.0/0            reject-with icmp-port-unreachable
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-SBBS-ddos (1 references)
target     prot opt source               destination
REJECT     all  --  110.53.221.190       0.0.0.0/0            reject-with icmp-port-unreachable
RETURN     all  --  0.0.0.0/0            0.0.0.0/0
</code>
===== See Also =====
  * [[:howto:|howto index]]

{{tag>linux}}