-
-
Save AndisGrossteins/0b041d1449b8b65ce4ac92d71f0dd2f3 to your computer and use it in GitHub Desktop.
DEPRECATED CODE!!!!1!one!!1 | |
Please read the replies before using this code or commenting! | |
For a better solution, use the fail2ban's persistence SQLite database with long purge time. | |
See this answer on Server Fault StackExchange: https://serverfault.com/a/810798/72732 | |
[Definition] | |
# Option: actionstart | |
# Notes.: command executed once at the start of Fail2Ban. | |
# Values: CMD | |
# | |
actionstart = iptables -N fail2ban-<name> | |
iptables -A fail2ban-<name> -j RETURN | |
iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name> | |
cat /etc/fail2ban/persistent.bans | awk '/^fail2ban-<name>/ {print $2}' \ | |
| while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j <blocktype>; done | |
# Option: actionstop | |
# Notes.: command executed once at the end of Fail2Ban | |
# Values: CMD | |
# | |
actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name> | |
iptables -F fail2ban-<name> | |
iptables -X fail2ban-<name> | |
# Option: actioncheck | |
# Notes.: command executed once before each actionban command | |
# Values: CMD | |
# | |
actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]' | |
# Option: actionban | |
# Notes.: command executed when banning an IP. Take care that the | |
# command is executed with Fail2Ban user rights. | |
# Tags: See jail.conf(5) man page | |
# Values: CMD | |
# | |
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype> | |
if ! grep -q "fail2ban-<name> <ip>" /etc/fail2ban/persistent.bans; then echo "fail2ban-<name> <ip>" >> /etc/fail2ban/persistent.bans; fi |
The issue as mentioned by jirislav can be circumvented by adding the 'fixed strings' parameter for grep:
grep -Fq ...
Can someone point me to where the log files of banned Ip addresses are stored? I want to see if any have been banned as I still seem to have a lot of failed IP attempt logins from far away places.
@David-Frick if you are using Raspbian (ie Linux), and configured your system with fail2ban it should be stored at /var/log.
Check the /etc/fail2ban/fail2ban.conf it has a line with the path like this: logtarget = /var/log/fail2ban.log
I might have missed something, but why would one use the above configuration instead of the SQLite persistent storage used by fail2ban since version 0.9? See for example https://serverfault.com/a/810798
Also, the original discussion when this feature was added can be found here: https://sourceforge.net/p/fail2ban/mailman/message/31710813/
I might have missed something, but why would one use the above configuration instead of the SQLite persistent storage used by fail2ban since version 0.9? See for example https://serverfault.com/a/810798
Thanks for pointing that out. I must've missed or forgotten about the feature when I discussed the issue on that blog post.
Now that I think about it, I had used the persistent SQLite storage for recidive jail at least once on a server I manage.
Got it, thanks for info.
Hi Guys I followed the guide but f2b give me an error at line 44:
dic 31 00:11:14 raspberrypi fail2ban-server[32170]: Failed during configuration: Error in action definition 'iptables-multiport[name=sshd, bantime="-1", port="ssh", protocol="tcp", chain="<known/chain>"]': Source contains parsing errors
dic 31 00:11:14 raspberrypi fail2ban-server[32170]: [line 44]: 'if ! grep -q "f2b-<name> <ip>" /etc/fail2ban/persistent.bans; then echo "fail2ban-<name> <ip>" >> /etc/fail2ban/persistent.bans; fi\n'
Is it because something has changed at f2b?
Is it because something has changed at f2b?
Hi, @payapony!
Have you read the replies? This one in particular.
none of these examples seem to include modifications for unban
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>
sed -i '/fail2ban-<name> <ip>/d' /etc/fail2ban/persistent.bans
Please note that grep will interpret the dots from the IP as any character, so it is possible that there won't be stored some IP addresses.
Let's consider the
persistent.bans
already contains:And now you have a new match of IP
1.1.222.3.3
. The grep will "succeed" in finding this pattern, but the IP address is not inside the file. This sensitiviy is called true-negative.As the result, IP of
1.1.222.3.3
will not be stored in the file and the ban will not be restored after machine restart.The same applies not only for grep interpreting dots, but also not matching to the end of line.
Let's suppose you have fixed the problem described above and have escaped all the dots in the IP address so that grep doesn't interpret those. The grep would still "succeed" in finding
111.222.333.44
and111.222.333.4
, thus you also have to include end of line match character, so that it becomes: