Use Fail2Ban on GNU/Linux to block botnet's attacks

Synchronet now have a built-in support to block incomming connections (see Blocking "Hackers") but it's feature protect SBBS services only (which in most cases is sufficient).

If you running another services/daemons on same server, you can use Fail2Ban and to block at firewall level the ip address from the attacker.

You must config and setup the sbbs log file that are explained here: UNIX

NOTE: These examples where made on Debian GNU/Linux, but you can adjust and apply for another distribution like Ubuntu, Arch, Fedora, etc.

First step, install fail2ban package:

apt-get install fail2ban

Create the file /etc/fail2ban/jail.d/sbbs.conf

[sbbs-main]
enabled  = true
filter   = sbbs-main
action   = iptables-allports[name=SBBS-main, protocol=all]
logpath  = /var/log/sbbs.log
maxretry = 3
findtime = 21600
bantime = 21600

[sbbs-ddos]
enabled  = true
filter   = sbbs-ddos
action   = iptables-allports[name=SBBS-ddos, protocol=all]
logpath  = /var/log/sbbs.log
maxretry = 8
findtime = 600
bantime = 21600

[sbbs-hack]
enabled  = true
filter   = sbbs-hack
action   = iptables-allports[name=SBBS-hack, protocol=all]
logpath  = /sbbs/data/hack.log
maxretry = 3
findtime = 21600
bantime = 21600

[sbbs-smtp]
enabled  = true
filter   = sbbs-smtp
action   = iptables-allports[name=SBBS-smtp, protocol=all]
logpath  = /var/log/sbbs.log
maxretry = 3
findtime = 21600
bantime = 21600

[sbbs-spam]
enabled  = true
filter   = sbbs-spam
action   = iptables-allports[name=SBBS-spam, protocol=all]
logpath  = /sbbs/data/spam.log
maxretry = 3
findtime = 21600
bantime = 21600

Create the filter file /etc/fail2ban/filter.d/sbbs-main.conf

[INCLUDES]
before = common.conf

[Definition]
failregex = Bad password from: <HOST>
            Throttling suspicious connection from: <HOST>
ignoreregex =

Filter for ddos (/etc/fail2ban/filter.d/sbbs-ddos.conf)

[INCLUDES]
before = common.conf

[Definition]
failregex = !Maximum concurrent connections without login (.*) reached from host: <HOST>
ignoreregex =

Filter for hack.log (/etc/fail2ban/filter.d/sbbs-hack.conf)

[INCLUDES]
before = common.conf
[Init]
maxlines=6
[Definition]
failregex = ^SUSPECTED FTP HACK ATTEMPT from .* on .* \nUsing port .* at .* \[<HOST>\]\nDetails: .* \n
ignoreregex =

Filter for smtp (/etc/fail2ban/filter.d/sbbs-smtp.conf)

[INCLUDES]
before = common.conf
[Definition]
failregex = .* !TEMPORARY BAN of .* <HOST> .*
            SMTP BLACKLISTED SERVER on .* \(.*\)\: .* \[<HOST>\]
            ^.*\[<HOST>\].*\!TEMPORARY BAN.*$
ignoreregex =

Filter for spam (/etc/fail2ban/filter.d/sbbs-spam.conf)

[INCLUDES]
before = common.conf
[Definition]
failregex = SMTP BLACKLISTED SERVER on .* \(.*\)\: .* \[<HOST>\]
            Host\: .* \[<HOST>\]
ignoreregex =

Reload or restart the service and verify if you jail is loaded:

# fail2ban-client status
Status
|- Number of jail:	7
`- Jail list:	asterisk, nginx-botsearch, *sbbs-hack, *sbbs-main, *sbbs-smtp, *sbbs-spam, *sbbs-ddos, sshd

(*) your sbbs active jail's

After some time, you can observe via iptables that severals ip address was blocked

# iptables -L -n 

Chain fail2ban-SBBS-main (1 references)
target     prot opt source               destination         
REJECT     all  --  49.64.51.116         0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  187.161.208.161      0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  190.130.22.81        0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  94.123.59.80         0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  118.175.228.237      0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  220.240.252.176      0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  71.248.179.3         0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  185.29.71.147        0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  201.69.90.121        0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  78.186.210.14        0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  117.247.90.134       0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  37.130.109.12        0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  189.110.122.99       0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  24.70.18.200         0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  112.164.94.30        0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  37.109.137.13        0.0.0.0/0            reject-with icmp-port-unreachable
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-SBBS-ddos (1 references)
target     prot opt source               destination
REJECT     all  --  110.53.221.190       0.0.0.0/0            reject-with icmp-port-unreachable
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

See Also

howto/fail2ban.txt · Last modified: 2023/07/25 15:36 by nick young
Back to top
CC Attribution 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0