This is an old revision of the document!


Use Fail2Ban on GNU/Linux to block botnet's attacks

Synchronet now have a built-it support to block incomming connections (see Blocking "Hackers") but it's feature protect SBBS services only. If you running another services/daemons on same server, you can use Fail2Ban and to block at firewall level the ip address from the attacker.

You must config and setup the sbbs log file that are explained here: UNIX

NOTE: These examples where made on Debian GNU/Linux, but you can adjust and apply for another distribution like Ubuntu, Arch, Fedora, etc. First step, install fail2ban package:

apt-get install fail2ban

Create the file /etc/fail2ban/jail.d/sbbs.conf

[sbbs-main]
enabled  = true
filter   = sbbs-main
action   = iptables-allports[name=SBBS-main, protocol=all]
logpath  = /var/log/sbbs.log
maxretry = 3
findtime = 21600
bantime = 21600

Create the filter file /etc/fail2ban/filter.d/sbbs-main.conf

[INCLUDES]                                                                                                                                                              
before = common.conf                                                                                                                                                    

[Definition]                                                                                                                                                            
failregex = Bad password from: <HOST>                                                                                                                                   
            Throttling suspicious connection from: <HOST>                                                                                                               
ignoreregex =  

Reload or restart the service and verify if you jail is loaded:

# fail2ban-client status
Status
|- Number of jail:      7
`- Jail list:           ssh, asterisk-udp, *sbbs-main*, nginx-http-auth, ssh-ddos, asterisk-tcp

After some time, you can observe via iptables that severals ip address was blocked

# iptables -L -n 

Chain fail2ban-SBBS-main (1 references)
target     prot opt source               destination         
REJECT     all  --  49.64.51.116         0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  187.161.208.161      0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  190.130.22.81        0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  94.123.59.80         0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  118.175.228.237      0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  220.240.252.176      0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  71.248.179.3         0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  185.29.71.147        0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  201.69.90.121        0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  78.186.210.14        0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  117.247.90.134       0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  37.130.109.12        0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  189.110.122.99       0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  24.70.18.200         0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  112.164.94.30        0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  37.109.137.13        0.0.0.0/0            reject-with icmp-port-unreachable
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

See Also

howto/fail2ban.1505847733.txt · Last modified: 2017/09/19 12:02 by ragnarok
Back to top
CC Attribution 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0