On 02/08/2019 19:18, Mike wrote:
I've been using F2B and it works well, but one thing it's not
particularly good at is dealing with patterns of source IP ranges
which are consistently troublesome. (AFAIK)
For example, if you're operating a mail server, and you have no
clients in countries like Brazil, China, Russia, etc., then it
seems like a waste of resources to constantly battle the now
highly-intelligent botnets that work around the fail2ban ruleset.
I know some people tend to want to block entire countries, but I'd
rather identify troublesome ISPs/IP blocks and deal with them in
batches.
I'm seeing botnets that operate from hundreds, if not thousands of
distinct IP addresses and spread their brute force and dictionary
attacks out, so they're not triggered by f2b.
The solution to this, in my opinion, is adding an extra layer of
protection.
I've been running a mail server online for more than 20 years that
is based around tcp-wrappers and have built up a class a/b/c
blacklist that's not too large, but stops about 90% of the crack
attempts. Unfortunately, the more modern servers don't like to
wrap around hosts.allow/deny and tcpwrappers, so I'm stuck with
trying to come up with something new.
F2B seems to be centered around particular individual IPs, so it
doesn't work to block the troublesome IP ranges. (or am I wrong?
Can I feed f2b IPs and netmasks?)
My research indicates perhaps the best approach would be to employ
an additional permanent blacklist for troublesome IP address
ranges. Has anybody else done this using IPSETS and IPTABLES?
I want to create an IPSET set that contains IP ranges and
permanently ban certain blocks from all ports except http/https.
I want another IPSET/command that i can use to block a specific IP
from the server for all ports (that would be manually set when I
encounter specific attacks).
I had been using a special ruleset I created in F2B, but those
require timeouts and seem to only work with single IPs, so I'm
thinking I need to create some scripts that will do this outside
of F2B?
Anybody else done something like this? Any advice on the best
approach? Want to share any scripts you've created that can do
this?
- Mike
Replying to list this time.
I've done it using ipset sets to block dynamic IP blocks with
postfix:
/etc/fail2ban/jail.d/clearos-postfix-no-ptr.conf:
[postfix-no-ptr]
enabled = true
logpath = %(syslog_mail)s
maxretry = 1
bantime = 4294967
findtime = 108000
port = smtp
startaction = iptables-ipset-proto6-subnet
stopaction = iptables-ipset-proto6-subnet
banaction = iptables-ipset-proto6-subnet
unbanaction = iptables-ipset-proto6-subnet
/etc/fail2ban/action.d/iptables-ipset-proto6-subnet.conf:
[INCLUDES]
before = iptables-common.conf
[Definition]
actionstart = ipset create f2b-<name> hash:net timeout
<bantime>
<iptables> -I <chain> -p
<protocol> -m multiport --dports <port> -m set
--match-set f2b-<name> src -j <blocktype>
actionstop = <iptables> -D <chain> -p
<protocol> -m multiport --dports <port> -m set
--match-set f2b-<name> src -j <blocktype>
ipset flush f2b-<name>
ipset destroy f2b-<name>
actionban = ipset add f2b-<name> <ip>/24 timeout
<bantime> -exist
actionunban =
[Init]
bantime = 600
I am not sure of the purpose of the last bantime as this is a mod of
another filter I copied. I suspect it is overridden by the jail
bantime.
There is no actionunban as it uses ipset's own built-in timeout.
What it does is block a /24 subnet of any failing IP
Regards,
Nick
|
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
