Re: [Fail2ban-users] Search and ban networks

[Nick Howitt]

I have done it using ipset. There may be better ways of doing it:
   jail:
   [postfix-no-ptr]
   enabled  = true
   logpath  = %(syslog_mail)s
   maxretry = 1
   bantime  = 432000
   findtime = 108000
   port     = smtp
   startaction = iptables-ipset-proto6-subnet
   stopaction  = iptables-ipset-proto6-subnet
   banaction   = iptables-ipset-proto6-subnet
   unbanaction = iptables-ipset-proto6-subnet

   /etc/fail2ban/action.d/iptables-ipset-proto6-subnet.conf:
   [INCLUDES]

   before = iptables-common.conf

   [Definition]

   # Option:  actionstart
   # Notes.:  command executed once at the start of Fail2Ban.
   # Values:  CMD
   #
   actionstart = ipset create f2b-<name> hash:net timeout <bantime>
                  <iptables> -I <chain> -p <protocol> -m multiport
   --dports <port> -m set --match-set f2b-<name> src -j <blocktype>

   # Option:  actionstop
   # Notes.:  command executed once at the end of Fail2Ban
   # Values:  CMD
   #
   actionstop = <iptables> -D <chain> -p <protocol> -m multiport
   --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
                 ipset flush f2b-<name>
                 ipset destroy f2b-<name>

   # Option:  actionban
   # Notes.:  command executed when banning an IP. Take care that the
   #          command is executed with Fail2Ban user rights.
   # Tags:    See jail.conf(5) man page
   # Values:  CMD
   #
   actionban = ipset add f2b-<name> <ip>/24 timeout <bantime> -exist

   # Option:  actionunban
   # Notes.:  command executed when unbanning an IP. Take care that the
   #          command is executed with Fail2Ban user rights.
   # Tags:    See jail.conf(5) man page
   # Values:  CMD
   #
   #actionunban = ipset del f2b-<name> <ip> -exist
   actionunban =

   [Init]

   # Option: bantime
   # Notes:  specifies the bantime in seconds (handled internally
   rather than by fail2ban)
   # Values:  [ NUM ]  Default: 600
   #
   bantime = 600



There is no actionunban as it relies on the ipset line timing out using 
the built-in ipset mechanism. When banning subnets, you need to be sure 
you are not blocking good IP's. My filter is:

   /etc/fail2ban/filter.d/postfix-no-ptr.conf
   # Fail2Ban filter for postfix lost connections
   #

   [INCLUDES]

   before = common.conf

   [Definition]

   _daemon = postfix/smtpd
   # limited to qq.com e-mails - from q.com and also from
   dynamic.163data.com.cn IP addresses
   failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from
   unknown\[<HOST>\]: 450 4.7.1 Client host rejected: cannot find your
   reverse hostname.*@qq.com
            ^%(__prefix_line)swarning: hostname
   .*\.dynamic\.163data\.com\.cn does not resolve to address <HOST>:


   ignoreregex =

   # Author: Nick Howitt


This because I am currently under a spam attack with all mails coming 
from someth...@qq.com. Most come from dynamic 163data.com.cn addresses 
and I assume that if one is dynamic, a whole /24 subnet will be dynamic. 
Some also come from other IP's and if they have no PTR record (a 
mandatory requirement for a properly configured mail server), I again 
assume the whole block is probably dynamic IP's and therefore should not 
be sending e-mails and block it.

Regards,

Nick


On 28/02/2019 13:37, Sub wrote:

Hello,

Is there any way to configure fail2ban to look for networks instead of 
single IPs?

There are many abusers who use whole C networks (or more IPs).

I am talking about situations like this example below:

2019-02-28 04:52:42,473 fail2ban.filter         [1904]: INFO    
[postfix-sasl] Found 45.125.66.100

2019-02-28 04:52:43,475 fail2ban.filter         [1904]: INFO    
[postfix-sasl] Found 45.125.66.70

2019-02-28 04:52:47,139 fail2ban.filter         [1904]: INFO    
[postfix-sasl] Found 45.125.66.233

2019-02-28 04:52:47,144 fail2ban.filter         [1904]: INFO    
[postfix-sasl] Found 45.125.66.156

2019-02-28 04:52:48,134 fail2ban.filter         [1904]: INFO    
[postfix-sasl] Found 45.125.66.218

2019-02-28 04:52:53,495 fail2ban.filter         [1904]: INFO    
[postfix-sasl] Found 45.125.66.234

2019-02-28 04:52:55,490 fail2ban.filter         [1904]: INFO    
[postfix-sasl] Found 45.125.66.157

2019-02-28 04:52:56,488 fail2ban.filter         [1904]: INFO    
[postfix-sasl] Found 45.125.66.190

2019-02-28 04:52:56,500 fail2ban.filter         [1904]: INFO    
[postfix-sasl] Found 45.125.66.86

2019-02-28 04:52:58,487 fail2ban.filter         [1904]: INFO    
[postfix-sasl] Found 45.125.66.80

2019-02-28 04:53:02,220 fail2ban.filter         [1904]: INFO    
[postfix-sasl] Found 45.125.66.154

2019-02-28 04:53:09,231 fail2ban.filter         [1904]: INFO    
[postfix-sasl] Found 45.125.66.232

2019-02-28 04:54:27,129 fail2ban.filter         [1904]: INFO    
[postfix-sasl] Found 45.125.66.253

2019-02-28 05:00:09,261 fail2ban.filter         [1904]: INFO    
[postfix-sasl] Found 45.125.66.68

2019-02-28 05:04:59,092 fail2ban.filter         [1904]: INFO    
[postfix-sasl] Found 45.125.66.144

And take a look at logged time. These are connections made at the same 
time but from different IPs.

Can we configure fail2ban to search for XXX.XXX.XXX.* (instead of a 
single IP) and ban XXX.XXX.XXX.0/24 (instead of a single IP) to get 
rid of the above situations?

Cheers,

Sub



_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users




_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users