Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
Next revisionBoth sides next revision
howto:fail2ban [2017/09/19 11:49] – WIP (using fail2ban) ragnarokhowto:fail2ban [2020/07/02 22:59] – add rules for hack / spam logs ragnarok
Line 1: Line 1:
 ====== Use Fail2Ban on GNU/Linux to block botnet's attacks ====== ====== Use Fail2Ban on GNU/Linux to block botnet's attacks ======
  
-Synchronet now have a built-it support to block incomming connections (see [[howto:block-hackers|Blocking "Hackers"]]) but it's feature protect SBBS services only. If you running another services/daemos on same server, you can use Fail2Ban and the to block at firewall level the ip address from the attacker.+Synchronet now have a built-in support to block incomming connections (see [[howto:block-hackers|Blocking "Hackers"]]) but it's feature protect SBBS services only (which in most cases is sufficient)
  
-You must config an setup the sbbs log file that are explained here: [[config:nix|UNIX]]+If you running another services/daemons on same server, you can use [[http://fail2ban.org|Fail2Ban]] and to block at firewall level the ip address from the attacker.
  
-These examples where made on Debian GNU/Linux, but you can adjust and apply for another distribution like Ubuntu, Arch, Fedora, etc.+You must config and setup the sbbs log file that are explained here: [[config:nix|UNIX]] 
 + 
 +//NOTE: These examples where made on Debian GNU/Linux, but you can adjust and apply for another distribution like Ubuntu, Arch, Fedora, etc. 
 +//
  
 First step, install fail2ban package: First step, install fail2ban package:
Line 12: Line 15:
 apt-get install fail2ban apt-get install fail2ban
 </code> </code>
 +
 +Create the file /etc/fail2ban/jail.d/sbbs.conf
 +<code>
 +[sbbs-main]
 +enabled  = true
 +filter   = sbbs-main
 +action   = iptables-allports[name=SBBS-main, protocol=all]
 +logpath  = /var/log/sbbs.log
 +maxretry = 3
 +findtime = 21600
 +bantime = 21600
 +
 +[sbbs-hack]
 +enabled  = true
 +filter   = sbbs-hack
 +action   = iptables-allports[name=SBBS-hack, protocol=all]
 +logpath  = /sbbs/data/hack.log
 +maxretry = 3
 +findtime = 21600
 +bantime = 21600
 +
 +[sbbs-smtp]
 +enabled  = true
 +filter   = sbbs-smtp
 +action   = iptables-allports[name=SBBS-smtp, protocol=all]
 +logpath  = /var/log/sbbs.log
 +maxretry = 3
 +findtime = 21600
 +bantime = 21600
 +
 +[sbbs-spam]
 +enabled  = true
 +filter   = sbbs-spam
 +action   = iptables-allports[name=SBBS-spam, protocol=all]
 +logpath  = /sbbs/data/spam.log
 +maxretry = 3
 +findtime = 21600
 +bantime = 21600
 +
 +
 +</code>
 +
 +Create the filter file /etc/fail2ban/filter.d/sbbs-main.conf
 +<code>
 +[INCLUDES]
 +before = common.conf
 +
 +[Definition]
 +failregex = Bad password from: <HOST>
 +            Throttling suspicious connection from: <HOST>
 +ignoreregex =
 +</code>
 +
 +Filter for hack.log (/etc/fail2ban/filter.d/sbbs-hack.conf)
 +<code>
 +[INCLUDES]
 +before = common.conf
 +[Init]
 +maxlines=6
 +[Definition]
 +failregex = ^SUSPECTED FTP HACK ATTEMPT from .* on .* \nUsing port .* at .* \[<HOST>\]\nDetails: .* \n
 +ignoreregex =
 +</code>
 +
 +Filter for smtp (/etc/fail2ban/filter.d/sbbs-smtp.conf)
 +<code>
 +[INCLUDES]
 +before = common.conf
 +[Definition]
 +failregex = .* !TEMPORARY BAN of .* <HOST> .*
 +            SMTP BLACKLISTED SERVER on .* \(.*\)\: .* \[<HOST>\]
 +ignoreregex =
 +</code>
 +
 +Filter for spam (/etc/fail2ban/filter.d/sbbs-spam.conf)
 +<code>
 +[INCLUDES]
 +before = common.conf
 +[Definition]
 +failregex = SMTP BLACKLISTED SERVER on .* \(.*\)\: .* \[<HOST>\]
 +            Host\: .* \[<HOST>\]
 +ignoreregex =
 +</code>
 +
 +Reload or restart the service and verify if you jail is loaded:
 +<code>
 +
 +# fail2ban-client status
 +Status
 +|- Number of jail: 7
 +`- Jail list: asterisk, nginx-botsearch, *sbbs-hack, *sbbs-main, *sbbs-smtp, *sbbs-spam, sshd
 +
 +</code>
 +(*) your sbbs active jail's
 +
 +After some time, you can observe via iptables that severals ip address was blocked
 +
 +<code>
 +# iptables -L -n 
 +
 +Chain fail2ban-SBBS-main (1 references)
 +target     prot opt source               destination         
 +REJECT     all  --  49.64.51.116         0.0.0.0/           reject-with icmp-port-unreachable
 +REJECT     all  --  187.161.208.161      0.0.0.0/           reject-with icmp-port-unreachable
 +REJECT     all  --  190.130.22.81        0.0.0.0/           reject-with icmp-port-unreachable
 +REJECT     all  --  94.123.59.80         0.0.0.0/           reject-with icmp-port-unreachable
 +REJECT     all  --  118.175.228.237      0.0.0.0/           reject-with icmp-port-unreachable
 +REJECT     all  --  220.240.252.176      0.0.0.0/           reject-with icmp-port-unreachable
 +REJECT     all  --  71.248.179.3         0.0.0.0/           reject-with icmp-port-unreachable
 +REJECT     all  --  185.29.71.147        0.0.0.0/           reject-with icmp-port-unreachable
 +REJECT     all  --  201.69.90.121        0.0.0.0/           reject-with icmp-port-unreachable
 +REJECT     all  --  78.186.210.14        0.0.0.0/           reject-with icmp-port-unreachable
 +REJECT     all  --  117.247.90.134       0.0.0.0/           reject-with icmp-port-unreachable
 +REJECT     all  --  37.130.109.12        0.0.0.0/           reject-with icmp-port-unreachable
 +REJECT     all  --  189.110.122.99       0.0.0.0/           reject-with icmp-port-unreachable
 +REJECT     all  --  24.70.18.200         0.0.0.0/           reject-with icmp-port-unreachable
 +REJECT     all  --  112.164.94.30        0.0.0.0/           reject-with icmp-port-unreachable
 +REJECT     all  --  37.109.137.13        0.0.0.0/           reject-with icmp-port-unreachable
 +RETURN     all  --  0.0.0.0/           0.0.0.0/          
 +
 +</code>
 + 
 ===== See Also ===== ===== See Also =====
   * [[:howto:|howto index]]   * [[:howto:|howto index]]
  
-{{tag>}}+{{tag>linux}}
  
howto/fail2ban.txt · Last modified: 2023/07/25 15:36 by nick young
Back to top
CC Attribution 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0