Re: [Fail2ban-users] Search and ban networks

Thu, 28 Feb 2019 07:21:05 -0800

I have done it using ipset. There may be better ways of doing it:
jail:
[postfix-no-ptr]
enabled  = true
logpath  = %(syslog_mail)s
maxretry = 1
bantime  = 432000
findtime = 108000
port     = smtp
startaction = iptables-ipset-proto6-subnet
stopaction  = iptables-ipset-proto6-subnet
banaction   = iptables-ipset-proto6-subnet
unbanaction = iptables-ipset-proto6-subnet

/etc/fail2ban/action.d/iptables-ipset-proto6-subnet.conf:
[INCLUDES]

before = iptables-common.conf

[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = ipset create f2b-<name> hash:net timeout <bantime>
              <iptables> -I <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
             ipset flush f2b-<name>
             ipset destroy f2b-<name>

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = ipset add f2b-<name> <ip>/24 timeout <bantime> -exist

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
#actionunban = ipset del f2b-<name> <ip> -exist
actionunban =

[Init]

# Option: bantime
# Notes:  specifies the bantime in seconds (handled internally rather than by fail2ban)
# Values:  [ NUM ]  Default: 600
#
bantime = 600


There is no actionunban as it relies on the ipset line timing out using the built-in ipset mechanism. When banning subnets, you need to be sure you are not blocking good IP's. My filter is:
/etc/fail2ban/filter.d/postfix-no-ptr.conf
# Fail2Ban filter for postfix lost connections
#

[INCLUDES]

before = common.conf

[Definition]

_daemon = postfix/smtpd
# limited to qq.com e-mails - from q.com and also from dynamic.163data.com.cn IP addresses
failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from unknown\[<HOST>\]: 450 4.7.1 Client host rejected: cannot find your reverse hostname.*@qq.com
        ^%(__prefix_line)swarning: hostname .*\.dynamic\.163data\.com\.cn does not resolve to address <HOST>:


ignoreregex =

# Author: Nick Howitt

This because I am currently under a spam attack with all mails coming from [email protected]. Most come from dynamic 163data.com.cn addresses and I assume that if one is dynamic, a whole /24 subnet will be dynamic. Some also come from other IP's and if they have no PTR record (a mandatory requirement for a properly configured mail server), I again assume the whole block is probably dynamic IP's and therefore should not be sending e-mails and block it.

Regards,

Nick


On 28/02/2019 13:37, Sub wrote:

Hello,

 

Is there any way to configure fail2ban to look for networks instead of single IPs?

There are many abusers who use whole C networks (or more IPs).

I am talking about situations like this example below:

 

2019-02-28 04:52:42,473 fail2ban.filter         [1904]: INFO    [postfix-sasl] Found 45.125.66.100

2019-02-28 04:52:43,475 fail2ban.filter         [1904]: INFO    [postfix-sasl] Found 45.125.66.70

2019-02-28 04:52:47,139 fail2ban.filter         [1904]: INFO    [postfix-sasl] Found 45.125.66.233

2019-02-28 04:52:47,144 fail2ban.filter         [1904]: INFO    [postfix-sasl] Found 45.125.66.156

2019-02-28 04:52:48,134 fail2ban.filter         [1904]: INFO    [postfix-sasl] Found 45.125.66.218

2019-02-28 04:52:53,495 fail2ban.filter         [1904]: INFO    [postfix-sasl] Found 45.125.66.234

2019-02-28 04:52:55,490 fail2ban.filter         [1904]: INFO    [postfix-sasl] Found 45.125.66.157

2019-02-28 04:52:56,488 fail2ban.filter         [1904]: INFO    [postfix-sasl] Found 45.125.66.190

2019-02-28 04:52:56,500 fail2ban.filter         [1904]: INFO    [postfix-sasl] Found 45.125.66.86

2019-02-28 04:52:58,487 fail2ban.filter         [1904]: INFO    [postfix-sasl] Found 45.125.66.80

2019-02-28 04:53:02,220 fail2ban.filter         [1904]: INFO    [postfix-sasl] Found 45.125.66.154

2019-02-28 04:53:09,231 fail2ban.filter         [1904]: INFO    [postfix-sasl] Found 45.125.66.232

2019-02-28 04:54:27,129 fail2ban.filter         [1904]: INFO    [postfix-sasl] Found 45.125.66.253

2019-02-28 05:00:09,261 fail2ban.filter         [1904]: INFO    [postfix-sasl] Found 45.125.66.68

2019-02-28 05:04:59,092 fail2ban.filter         [1904]: INFO    [postfix-sasl] Found 45.125.66.144

 

And take a look at logged time. These are connections made at the same time but from different IPs.

 

Can we configure fail2ban to search for XXX.XXX.XXX.* (instead of a single IP) and ban XXX.XXX.XXX.0/24 (instead of a single IP) to get rid of the above situations?

 

Cheers,

 

Sub



_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users






_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users






















					Reply via email to