From 3c5952b01e5444ce048aa2fcf75a605199729e29 Mon Sep 17 00:00:00 2001
From: The_Agent_K <lulatsch22@googlemail.com>
Date: Tue, 24 Nov 2015 10:03:48 +0100
Subject: [PATCH] Idee von
 http://sven.rojek.de/posts/fail2ban-iprange-mit-blackliste-blocken
 eingearbeitet

---
 action.d/action_ip-blacklist.conf         | 67 +++++++++++++++++++++++
 fail2ban.blacklist                        | 20 +++++++
 blocklist.conf => filter.d/blocklist.conf |  0
 filter.d/filter_ip-blacklist.conf         | 15 +++++
 filter.d/filter_ip-blacklist16.conf       | 15 +++++
 filter.d/filter_ip-blacklist24.conf       | 15 +++++
 filter.d/filter_ip-blacklist8.conf        | 15 +++++
 jail.local                                |  8 +--
 8 files changed, 151 insertions(+), 4 deletions(-)
 create mode 100644 action.d/action_ip-blacklist.conf
 create mode 100644 fail2ban.blacklist
 rename blocklist.conf => filter.d/blocklist.conf (100%)
 create mode 100644 filter.d/filter_ip-blacklist.conf
 create mode 100644 filter.d/filter_ip-blacklist16.conf
 create mode 100644 filter.d/filter_ip-blacklist24.conf
 create mode 100644 filter.d/filter_ip-blacklist8.conf

diff --git a/action.d/action_ip-blacklist.conf b/action.d/action_ip-blacklist.conf
new file mode 100644
index 0000000..6724c30
--- /dev/null
+++ b/action.d/action_ip-blacklist.conf
@@ -0,0 +1,67 @@
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart = iptables -N fail2ban-<name>
+              iptables -A fail2ban-<name> -j RETURN
+              iptables -I <chain> -p <protocol> -j fail2ban-<name>
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name>
+             iptables -F fail2ban-<name>
+             iptables -X fail2ban-<name>
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+actionban = iptables -I fail2ban-<name> 1 -s <ip>/<mask> -j DROP
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+actionunban = iptables -D fail2ban-<name> -s <ip>/<mask> -j DROP
+
+[Init]
+
+# Defaut name of the chain
+#
+name = default
+
+# Option:  protocol
+# Notes.:  internally used by config reader for interpolations.
+# Values:  [ tcp | udp | icmp | all ] Default: all
+#
+protocol = all
+
+# Option:  chain
+# Notes    specifies the iptables chain to which the fail2ban rules should be
+#          added
+# Values:  STRING  Default: INPUT
+chain = INPUT
+
+# Option:  mask
+# Notes.:  used to ban an address-range by netmask(s) in CIDR notation.
+# Values:  [ 32 | 24 | 16 | 8 ] Default: 32
+#
+mask = 32
\ No newline at end of file
diff --git a/fail2ban.blacklist b/fail2ban.blacklist
new file mode 100644
index 0000000..9eef60f
--- /dev/null
+++ b/fail2ban.blacklist
@@ -0,0 +1,20 @@
+########################################
+#
+# Single IP Example:
+# 10.10.10.10       [2015-01-01 12:00:00]
+# 10.10.10.10/32    [2015-01-01 12:00:00]
+#
+#########################################
+#
+# IP Range Options:
+# 10.10.10.10/24 = 10.10.10.*
+# 10.10.10.10/16 = 10.10.*.*
+# 10.10.10.10/8  = 10.*.*.*
+#
+#########################################
+#
+# IP Range Examples:
+# 10.10.10.10/16    [2015-01-01 12:00:00]
+# 10.10.10.10/24    [2015-01-01 12:00:00]
+#
+#########################################
\ No newline at end of file
diff --git a/blocklist.conf b/filter.d/blocklist.conf
similarity index 100%
rename from blocklist.conf
rename to filter.d/blocklist.conf
diff --git a/filter.d/filter_ip-blacklist.conf b/filter.d/filter_ip-blacklist.conf
new file mode 100644
index 0000000..72b816d
--- /dev/null
+++ b/filter.d/filter_ip-blacklist.conf
@@ -0,0 +1,15 @@
+[Definition]
+
+# Option:  failregex
+# Notes :  Detection of blocked ip addresses.
+# Values:  TEXT
+#
+
+failregex = ^<HOST>(/32.*|[^/].*)?$
+
+# Option:  ignoreregex
+# Notes :  Regex to ignore.
+# Values:  TEXT
+#
+
+ignoreregex =
\ No newline at end of file
diff --git a/filter.d/filter_ip-blacklist16.conf b/filter.d/filter_ip-blacklist16.conf
new file mode 100644
index 0000000..5393761
--- /dev/null
+++ b/filter.d/filter_ip-blacklist16.conf
@@ -0,0 +1,15 @@
+[Definition]
+
+# Option:  failregex
+# Notes :  Detection of blocked ip addresses.
+# Values:  TEXT
+#
+
+failregex = ^<HOST>/16.*$
+
+# Option:  ignoreregex
+# Notes :  Regex to ignore.
+# Values:  TEXT
+#
+
+ignoreregex =
\ No newline at end of file
diff --git a/filter.d/filter_ip-blacklist24.conf b/filter.d/filter_ip-blacklist24.conf
new file mode 100644
index 0000000..cd3a3b0
--- /dev/null
+++ b/filter.d/filter_ip-blacklist24.conf
@@ -0,0 +1,15 @@
+[Definition]
+
+# Option:  failregex
+# Notes :  Detection of blocked ip addresses.
+# Values:  TEXT
+#
+
+failregex = ^<HOST>/24.*$
+
+# Option:  ignoreregex
+# Notes :  Regex to ignore.
+# Values:  TEXT
+#
+
+ignoreregex =
\ No newline at end of file
diff --git a/filter.d/filter_ip-blacklist8.conf b/filter.d/filter_ip-blacklist8.conf
new file mode 100644
index 0000000..dd772a4
--- /dev/null
+++ b/filter.d/filter_ip-blacklist8.conf
@@ -0,0 +1,15 @@
+[Definition]
+
+# Option:  failregex
+# Notes :  Detection of blocked ip addresses.
+# Values:  TEXT
+#
+
+failregex = ^<HOST>/8.*$
+
+# Option:  ignoreregex
+# Notes :  Regex to ignore.
+# Values:  TEXT
+#
+
+ignoreregex =
\ No newline at end of file
diff --git a/jail.local b/jail.local
index 7ca89d4..a5f49b2 100644
--- a/jail.local
+++ b/jail.local
@@ -31,7 +31,7 @@ enabled   = true
 port      = anyport
 action = action_ip-blacklist
 filter    = filter_ip-blacklist
-logpath   = /var/log/fail2ban-blacklist
+logpath   = /var/log/fail2ban.blacklist
 maxretry  = 0
 findtime  = 15552000
 bantime   = -1
@@ -41,7 +41,7 @@ enabled   = true
 port      = anyport
 action    = action_ip-blacklist[mask=24]
 filter    = filter_ip-blacklist24
-logpath   = /var/log/fail2ban-blacklist
+logpath   = /var/log/fail2ban.blacklist
 maxretry  = 0
 findtime  = 15552000
 bantime   = -1
@@ -51,7 +51,7 @@ enabled   = true
 port      = anyport
 action    = action_ip-blacklist[mask=16]
 filter    = filter_ip-blacklist16
-logpath   = /var/log/fail2ban-blacklist
+logpath   = /var/log/fail2ban.blacklist
 maxretry  = 0
 findtime  = 15552000
 bantime   = -1
@@ -61,7 +61,7 @@ enabled   = true
 port      = anyport
 action    = action_ip-blacklist[mask=8]
 filter    = filter_ip-blacklist8
-logpath   = /var/log/fail2ban-blacklist
+logpath   = /var/log/fail2ban.blacklist
 maxretry  = 0
 findtime  = 15552000
 bantime   = -1