Welcome to TQ CMS knowledge base. Here you will find useful information for all sorts of things.

Ban Repeat Offenders With fail2ban

Step 1: create a new filter

First you need a filter that knows the fail2ban logfile format. Create a new filter definition: /etc/fail2ban/filter.d/fail2ban.conf

# Fail2Ban configuration file
#
# Author: Tom Hendrikx
#
# $Revision$
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P\S+)
# Values:  TEXT
#

# Count all bans in the logfile
failregex = fail2ban.actions: WARNING \[(.*)\] Ban 

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#

# Ignore our own bans, to keep our counts exact.
# In your config, name your jail 'fail2ban', or change this line!
ignoreregex = fail2ban.actions: WARNING \[fail2ban\] Ban 

 

Step 2: define the jail

Now create a new jail in /etc/fail2ban/jail.conf:

[fail2ban]
enabled = true
filter = fail2ban
action = iptables-allports[name=fail2ban]
        sendmail-whois[name=fail2ban]
logpath = /var/log/fail2ban.log
# findtime: 1 week
findtime = 604800
# bantime: 1 week
bantime = 604800

As you can see I raised bantime to a much longer value than the default 600 seconds, thus blocking the attacker for a very long time. Since the attacker has had his chance a few times by now (by default 3 times on any defined jail, who each trigger after a default of 3 failed attempts), the chance of blocking a valid but mistaken user for such a long period is pretty small.

Warning: pick the right jail

This jail does not work with actions who record an IP only once (i.e. block only an IP address, and do not keep track of the jail that trigger the block). For example:

  • When an attacker gets blocked for an SSH attempt for the third time, the ssh jail kicks in and blocks the IP for the defined bantime (default: 10 minutes).
  • A few seconds later the fail2ban jail also kicks in, and blocks the IP again, for a much longer period. Since the IP is already on the blocklist and the blocklist itself does not know about different jails, it still has the IP once recorded (or maybe twice, but cannot differ between the two).
  • After 10 minutes, the ssh jail removes the IP from the blocklist. The blocklist does not know about the intention of the fail2ban jail, and just deletes the IP.
  • The IP is now gone from the blocklist, despite our intention to block it for a longer period.

This happens with the following blocking actions: ipfw, hostsdeny, shorewall.

Currently, this means that:

  • you need to use the various iptables actions when blocking, since they use a blocklist on a per-jail basis, given that you define a separate name=foo argument for each jail.
  • you need to use a different blocking action for this jail. Personally, I use shorewall for all 'regular' jails, and iptables-allports for the fail2ban jail. Combining any two blocking actions would work though.
There is 56 guides in the database.

More news

Bootstrap
25 February, 2014

Bootstrap

I have implemented bootstrap into the project and changed all code in the administration to use this new framework and I really love the result that I see after a couple of hours of coding. To make things look so good has never been so easy as with
Guides
20 February, 2014

Guides

I have added some of my guides for different things when it comes to the different areas in the computer, I will continue to add guides and especially when it comes to things that I am using every now and then in my own work.
First phase completed
17 February, 2014

First phase completed

Then I had time to finish the dirty work with the page and now it only remains little touches here and there and I need to upload information about what I'm doing and my progress on the project as well.
Time for a change
16 February, 2014

Time for a change

Today I've decided to update my own personal website with the latest version of my project called TQ CMS and with a completely new design that is responsive. My goal with this project is to make it as easy as possible for the end user while

Spotlight

The next step

The next step

I have now resumed my programming after a couple of months of vacation which was very much needed. I got a call one day from a friend that needed a system which can handle peoples reports on various problems like kitchen problems, water problems etc and I decided to make a system for it. Little did I know that it would totally revolutionise my own project and that it would teach me much needed jquery skills to further enhance the CMS. I also