On 14/01/2019 16:31, Nick Howitt wrote:
Hi,
I am trying to create a custom action file,
/etc/fail2ban/action.d/iptables-ipset-proto6-subnet.conf, the idea
of which is to block a whole /24 subnet every time it makes a
block.
Before anyone asks, I am having a spam flood from lots of adjacent
IP's. In postfix I block all mails from IP's with no PTR records.
Thse are usually Dynamic IP blocks and should not be sending
e-mails. Suddenly I am getting stacks from these addresses and
often from the same subnet. If I ever get one of these, I'd like
to block the whole /24 subnet, in the theaor that if one of the
IP's is dynamic and has no PTY recort, then all IP's in the /24
subnet will be the same.
To do this I've created a jail:
[postfix-no-ptr]
enabled = true
logpath = %(syslog_mail)s
maxretry = 1
bantime = 108000
findtime = 3600
port = smtp,465,submission
action = iptables-ipset-proto6-subnet
In /etc/fail2ban/action.d/iptables-ipset-proto6-subnet.conf I have
actionstart = ipset create f2b-<name> hash:ip netmask 24
timeout <bantime>
Adding the 'netmask 24' is the only change from the whole
/etc/fail2ban/action.d/iptables-ipset-proto6.conf.
F2b starts fine, but the ipset set is not created. If I check the
fail action I get:
[root@server ~]# fail2ban-client get postfix-no-ptr actions
The jail postfix-no-ptr has the following actions:
iptables-ipset-proto6-subnet
So the jail is seen by f2b. It has just done nothing with it. I
can manually do the ipset command to create the jail.
How can I get this to work?
TIA, Nick
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
Replying to my own issue.
It looks like specifying "action" does not work. If you specifu
"action", you can see that f2b tries to use the "actionstart" from
iptables-ipset-proto6-subnet because if I make it invalid, by
quoting the 'netmask 24' it throws an error with the line. If I
remove the quotes, no error is thrown, but no ipset set is created
and no firewall rule is created.
To get round it I had to specify:
startaction = iptables-ipset-proto6-subnet
stopaction = iptables-ipset-proto6-subnet
banaction = iptables-ipset-proto6-subnet
unbanaction = iptables-ipset-proto6-subnet
in the jail. The last three may be unnecessary as the default action
is iptables-ipset-proto6 and I have not modified those actions in
iptables-ipset-proto6.
Is this a bug?
|
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
