Strengthening Fail2Ban for Repeat Offenders

Let’s get straight to the case. I have a server, serving a web services and someone was trying to use my server for sending a spam mail.
Honestly, i am not an expert at this. So i struggling and do some research until i found some article which is quite interesting and try to implement it on to my server.

The result so far was good, i am quite satisfied. And here, i am gonna share it with you guys.

As i already mentioned above, i am not an expert on this field. Thus, I BEAR NO RESPONSIBILITY if something occurs to your server when you follow this guide. If by any chance you found this page and know what to do, then it’s good. However, if you also same like me, think again and DO IT WITH YOUR OWN RISK.

1. Modify or create /etc/fail2ban/filter.d/postfix-sasl.conf

# Fail2Ban filter for postfix authentication failures
#

[INCLUDES]
before = common.conf

[Definition]
_daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$
ignoreregex = authentication failed: Connection lost to authentication server$

[Init]
journalmatch = _SYSTEMD_UNIT=postfix.service
# Author: Yaroslav Halchenko

2. Modify or create /etc/fail2ban/filter.d/f2b-loop.conf

# Fail2Ban configuration file for subsequent bans
[INCLUDES]
before = common.conf
[Definition]
failregex = \]\s+Ban\s+<HOST>
ignoreregex = \[postfix-sasl.*\]\s+Ban\s+<HOST>
#

3. Modify or create /etc/fail2ban/jail.local

here is my pre configurationAt this time, what i want to protect was only FTP, Dovecot and Postfix. I will not explain anything about the code above. However, only by doing this is still not enough. Eventhough i made the bantime for 1 month, ‘they’ will come again. So, let’s go to the next step.

[pure-ftpd]
enabled = true
port = ftp
filter = pure-ftpd
logpath = /var/log/syslog
maxretry = 3

[dovecot]
enabled = true
filter = dovecot
logpath = /var/log/mail.log
maxretry = 5
findtime = 86400 ;1 day
bantime = 604800 ;1 week

[postfix-sasl1]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3
findtime = 86400 ;1 day
bantime = 604800 ;1 week

[postfix-sasl2]
enabled = true
port = smtp
filter = postfix-sasl
findtime = 864000 ;10 days
bantime = 2592000 ;1 month
logpath = /var/log/mail.log
maxretry = 5

4. Create file /etc/fail2ban/filter.d/repeatoffender.conf

#Fail2Ban configuration file
#
# Author: WireFlare
#
# This filter monitors the fail2ban log file, and permanently
# bans the ip addresses of persistent attackers.
#
# As of this version this ban only works with iptables.
#

[Definition]
_jailname = repeatoffender
failregex = fail2ban.actions\s+\[(?:.*)\]:\s+NOTICE\s+\[(?:.*)\]\s+Ban\s+<HOST>
ignoreregex = fail2ban.actions\s+\[(?:.*)\]:\s+NOTICE\s+\[%(_jailname)s\]\s+Ban\s+<HOST>

5. Create file /etc/fail2ban/action.d/repeatoffender.conf

# Fail2Ban configuration file
#
# Author: WireFlare
#

[INCLUDES]

before = iptables-blocktype.conf


[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = iptables -N fail2ban-<name>
              iptables -A fail2ban-<name> -j RETURN
              iptables -I <chain> -p <protocol> -j fail2ban-<name>
              # Establish chain and blocks for saved IPs
              iptables -N fail2ban-ip-blocklist
              iptables -A fail2ban-ip-blocklist -j RETURN
              iptables -I <chain> -p <protocol> -j fail2ban-ip-blocklist
              cat /etc/fail2ban/ip.blocklist.<name> |grep -v ^\s*#|awk '{print $1}' | while read IP; do iptables -I fail2ban-ip-blocklist 1 -s $IP -j REJECT --reject-with icmp-port-unreachable; done

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name>
             iptables -F fail2ban-<name>
             iptables -X fail2ban-<name>
             # Remove chain and blocks for saved IPs to prevent duplicates on service restart
             iptables -D <chain> -p <protocol> -j fail2ban-ip-blocklist
             iptables -F fail2ban-ip-blocklist
             iptables -X fail2ban-ip-blocklist

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = VERIFY="<ip>*"
            ADD="<ip>        # fail2ban/$( date '+%%Y-%%m-%%d %%T' ): Perma-Banned"
            FILE=/etc/fail2ban/ip.blocklist.<name>
            grep -q "$VERIFY" "$FILE" || iptables -I fail2ban-<name>  1 -s <ip> -j DROP
            grep -q "$VERIFY" "$FILE" || echo "$ADD" >> "$FILE"

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionunban = # Do nothing becasuse their IP is in the blocklist file

# To manually unban from the ip blocklist file run this command:
# Be warned that if the ip is in log rotated files it must be whitelisted
#
# sed -i '/^<ip>/d' /etc/fail2ban/ip.blocklist.repeatoffender
#

[Init]

# Default name of the chain
#
name = default

# Option:  protocol
# Notes.:  internally used by config reader for interpolations.
# Values:  [ tcp | udp | icmp | all ] Default: tcp
#
protocol = tcp

# Option:  chain
# Notes    specifies the iptables chain to which the fail2ban rules should be
#          added
# Values:  STRING  Default: INPUT
chain = INPUT

6. Lets update /etc/fail2ban/jail.local and add this at the bottom

[repeatoffender]
enabled = true
filter = repeatoffender
logpath = /var/log/fail2ban*
maxretry = 3
findtime = 31536000
bantime = -1

7. The findtime is for 1 year, so we have to change the log rotation also. Update /etc/logrotate.d/fail2ban

/var/log/fail2ban.log {
    missingok
    notifempty
    monthly
    rotate 13
    create 0600 root root
    postrotate
    	/usr/bin/fail2ban-client set logtarget /var/log/fail2ban.log 2&gt; /dev/null || true
    endscript
}

That’s it. Hope this is useful for you guys. Full reference was in here and here.

Notes: those code was suitable for my server, doesn’t mean it’s also suitable for your server. You have to try it out first and made some adjustment based on your server. Good luck!.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Tinggalkan Balasan

Alamat email Anda tidak akan dipublikasikan. Ruas yang wajib ditandai *