54 lines
1.2 KiB
Markdown
54 lines
1.2 KiB
Markdown
# Make Fail2ban with blocklist.de better
|
|
Idea from http://wiki.kvs1.de/doku.php?id=pimp-fail2ban-with-blocklist.de
|
|
and from http://sven.rojek.de/posts/fail2ban-iprange-mit-blackliste-blocken
|
|
|
|
Most admins have http://www.fail2ban.org/ in use to protect their servers.
|
|
To get more power out of fail2ban you can combine it with http://blocklist.de
|
|
|
|
## New jail for fail2ban
|
|
```
|
|
[ssh-blocklist]
|
|
...
|
|
```
|
|
see [jail.local](jail.local)
|
|
* Monitor ssh port and uses the filter blocklist with the logfile blocklist.log.
|
|
* All found IPs will be blocked after 1 attempt for 1 day.
|
|
|
|
|
|
## New filter for fail2ban
|
|
```
|
|
# Fail2Ban configuration file
|
|
|
|
[Definition]
|
|
...
|
|
```
|
|
see [blocklist.conf](blocklist.conf)
|
|
|
|
## Get the IPs
|
|
```
|
|
./blocklist.de-update.sh
|
|
```
|
|
run [blocklist.de-update.sh](blocklist.de-update.sh) from Terminal
|
|
|
|
## Restart service
|
|
```
|
|
service fail2ban restart
|
|
```
|
|
|
|
## Cron job
|
|
Call the script each hour to fetch the last IP list for SSH
|
|
```
|
|
0 * * * * $PATH_TO_FILE$/blocklist.de-update.sh ssh 3600
|
|
```
|
|
|
|
## Monitoring
|
|
```
|
|
tail -f /var/log/auth.log /var/log/fail2ban.log
|
|
```
|
|
|
|
## Check Banned IP's Linux
|
|
Use the grep command as follows to verify that an IP address 1.2.3.4 is blocked or not:
|
|
```
|
|
iptables -L INPUT -v -n | grep "1.2.3.4"
|
|
```
|