8000 Whole IP pool block · Issue #1154 · fail2ban/fail2ban · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Whole IP pool block #1154

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
kisst opened this issue Aug 10, 2015 · 10 comments
Open

Whole IP pool block #1154

kisst opened this issue Aug 10, 2015 · 10 comments
Milestone
1.0

Comments

@kisst
Copy link
kisst commented Aug 10, 2015

It was a topic here before but with a wrong approach ( IMHO ) #953

The idea is simple, if an ISP continuously scanning / doing nasty stuff then the full ISP pool should get blocked, and most likely permanently, right now I do that manually, and parsing the fail2ban log to returning AS numbers, and above a limit I drop them on the permanent block firewall set.

In this way the 134176, 23650,4134 made it to the list on the first week, but it would be nice to automate it.

I use the cymru whois service now for lookup if you know any better feel free to share.

whois -h v4.whois.cymru.com " -c -p 218.87.111.110"
AS      | IP               | BGP Prefix          | CC | AS Name
4134    | 218.87.111.110   | 218.87.0.0/16       | CN | CHINANET-BACKBONE No.31,Jin-rong Street,CN

When there is more then x ( in my case 3 ) block from the same AS then the action to put the BGP Prefix to the list.

Now this function need few things like AS lookup function with up to date database, but it does not looks impossible for me, but also this would mean that one threat of the fail2ban would monitor it's own log which could be funny.

Maybe it's easier to push it into database ( sqlite3 or something simple, or even shared p2p ), anyway let me know guys, what you think, let's open the conversation about this again.
@agentmoller001
Copy link
Contributor

You can accomplish this by creating iptables-multiport-24.conf file in the /etc/fail2ban/action.d/ directory.

nano /etc/fail2ban/action.d/iptables-multiport-24.conf

Then add the following below.

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified by Yaroslav Halchenko for multiport banning
# Copied and modified from iptables-multiport.conf by Mike Moller for subnet banning
#

[INCLUDES]

before = iptables-blocktype.conf

[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = iptables -N fail2ban-<name>
              iptables -A fail2ban-<name> -j RETURN
              iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
             iptables -F fail2ban-<name>
             iptables -X fail2ban-<name>

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = iptables -I fail2ban-<name> 1 -s <ip>/24 -j <blocktype>

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionunban = iptables -D fail2ban-<name> -s <ip>/24 -j <blocktype>

[Init]

# Default name of the chain
#
name = default

# Option:  port
# Notes.:  specifies port to monitor
# Values:  [ NUM | STRING ]  Default:
#
port = ssh

# Option:  protocol
# Notes.:  internally used by config reader for interpolations.
# Values:  [ tcp | udp | icmp | all ] Default: tcp
#
protocol = tcp

# Option:  chain
# Notes    specifies the iptables chain to which the fail2ban rules should be
#          added
# Values:  STRING  Default: INPUT
chain = INPUT

Now modify the jail(s) that you want to have the subnet blocked ...

nano /etc/fail2ban/jail.local

Add the action = iptables-multiport-24 line to the jail...

[ssh]
enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6
action = iptables-multiport-24 [name=ssh, port="ssh", protocol=tcp]

#Another example how to implement subnet banning for postfix-sasl.
[postfix-sasl]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.warn
maxretry = 3
action = iptables-multiport-24 [name=postfix-sasl, port="smtp", protocol=tcp]

Also check out #1161

@kisst
Copy link
Author
kisst commented Nov 19, 2018

@agentmoller001 The suggested iptables-multiport-24.conf works with fix subnet size, with no context awareness around the size of the AS, I went around it with custom action, but I think building out a capability like this could be in scoop for the fail2ban project.

What I did :
Created a simple service which does the AS lookup on all entry on the fail2ban log, and the log it an sqlite3 database, and after writing in query the new value, and if that new value is more then x then null-route the ISP. But this "solution" is completely out of the fail2ban service, as fail2ban could not handle it.

@sebres sebres added this to the 1.0 milestone Jan 10, 2020
@sebres sebres pinned this issue Jan 10, 2020
@fingertrouble
Copy link
fingertrouble commented Nov 16, 2020
edited
Loading

I came here to ask something like this, or to find out if it can be done. I manually go through the fail2ban emails and block the CIDR range for each IP that gets a lot of attacks over different IPs - but this is quite work intensive so I rarely do it.

What would be good if fail2ban was aware that say multiple different IPs from the same AS/range block in X days/weeks/months results in a complete range ban. Having it for a repeat attacking single IP would be sort of useful, but then just block that single IP and might do false positives - I am wary about blocking UK/US etc for that reason.

It is the crafty people who come back from the same block of Iran or Chinese IPs months later and blast my server that need to be entire range autoblocked. Indeed I know geoblocking is beyond f2b but that would be good, I do it easily for nginx but that does not cover other services, mail, etc.

@Neko-Chang-Taiwan
Copy link
Neko-Chang-Taiwan commented Jun 8, 2021
edited
Loading

Hi @sebres

Sorry newbie at fail2ban @ github.
I have same problem much blocked list as below..
114.119.131.33
114.119.131.43
114.119.131.139
114.119.131.232
...

My system is FreeBSD with PF
Therefore wish the feature(duplicate #927?) add into FreeBSD with PF if possible.
Thank very much.

PS: Length of IPv4 and IPv6 netmask different.
In ./action.d/iptables-common.conf , both separate by Init?family=, therefore configure different easily.
But ./action.d/pf.conf have not, can be separate same iptable?

@jdbarnes-isi
Copy link

@agentmoller001 for fixed subnet, do you have equivalent settings for firewalld and nftables?

I second that this should be a feature. I currently have about 700 IPs from a single /20 AS in my block list. That's quite a few /24's.

@edwardsd97
Copy link

I just updated /etc/fail2ban/action.d/iptables.conf to have actionBan and actionUnBan just always use /24 instead of

@cooch17
Copy link
cooch17 commented Feb 2, 2024

@edwardsd97 -- could you share what tweak you made, specifically? For example, for actionban, what in

 actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>

did you change? Did you simply add /24 after ? In other words..

  actionban = <iptables> -I f2b-<name> 1 -s <ip>/24 -j <blocktype>

Thanks in advance. Rather ask a 'silly question' than blow up iptables.

@jdbarnes-isi
Copy link

when looking for official/registered IP blocks to ban, I personally think it's probably best to use a remote source of truth since blocks are purchased and assigned by an authority.

Assuming their information is up to date,
both whois -h whois.arin.net -- "n <ipaddr>" | grep -i cidr | awk '{print $NF}'
and whois -h whois.cymru.com -- "-p -o -f <ipaddr>" | cut -d' ' -f

will give you varying levels of officially registered IP blocks, however, I am not familiar with how to enter these values into the field in actionban.

Also, I am utilizing the default action on Fedora, which is firewalld, and utilizing nftables on debian, so is a little dated and less useful to me. From what I'm reading, it seems like most people are still stuck on iptables :)

@edwardsd97
Copy link
edwardsd97 commented Feb 2, 2024 via email

@cooch17
Copy link
cooch17 commented Feb 3, 2024

Perfect - thanks. I had convinced myself that was correct, after trying some experiments with AlmaLinux in a VM, but confirmation from your end helps. As seems to be the case at your end, my main machine(s) are only intended for a couple of users, so I'm quite comfortable blocking way more than fail2ban defaults to.

Thanks again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.0
Development

No branches or pull requests
8 participants
@agentmoller001 @sebres @kisst @cooch17 @edwardsd97 @fingertrouble @Neko-Chang-Taiwan @jdbarnes-isi
0