├── .github
└── FUNDING.yml
├── CHANGELOG.md
├── README.md
├── action.d
└── blacklist.conf
├── filter.d
└── blacklist.conf
└── jail.local
/.github/FUNDING.yml:
--------------------------------------------------------------------------------
1 | # These are supported funding model platforms
2 |
3 | github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]
4 | patreon: # Replace with a single Patreon username
5 | open_collective: # Replace with a single Open Collective username
6 | ko_fi: mitchellkrog
7 | tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
8 | custom: # Replace with a single custom sponsorship URL
9 |
--------------------------------------------------------------------------------
/CHANGELOG.md:
--------------------------------------------------------------------------------
1 | **2019-03-13 - Tested now on Fail2ban 0.10.2 works 100%**
2 | ```
3 | Tested On: Fail2Ban 0.10.2
4 | Server: Ubuntu 18.04.2 LTS
5 | Firewall: IPTables
6 | ```
7 |
8 | **2018-08-25 - Refork version to make working with oldstable 0.8.13 Debian 8.1**
9 | ```
10 | Tested On: Fail2Ban 0.8.13
11 | Server: Debian "Jessie" 8.1
12 | Firewall: IPTables
13 | ```
14 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Fail2Ban Blacklist JAIL for Repeat Offenders
2 | ### with Perma / Extended Banning Across Reboots
3 |
4 | ### If this helped you
5 |
6 | [
](https://ko-fi.com/mitchellkrog)
7 |
8 |
9 | >A customised jail with action and filter file for Fail2Ban.
10 | This jail is based on the recidive jail but makes use of a simple
11 | text file to enable extended and permanent bans even across reboots.
12 |
13 | >This is intended to replace the recidive filter so make sure that
14 | recidive is set to enabled = false do not have both this jail and
15 | recidive running at the same time
16 |
17 | - Author: Mitchell Krog
18 | - Contributors: BrigsLabs - https://github.com/BrigsLabs
19 | - Version: 1.1
20 | - Tested on Fail2Ban: 0.8.13 > 0.10.2
21 | - Servers used in Testing: Ubuntu 14.04 LTS, 16.04 LTS, 18.04 LTS
22 | - Project URL: https://github.com/mitchellkrogza/Fail2Ban-Blacklist-JAIL-for-Repeat-Offenders-with-Perma-Extended-Banning
23 | - Blog: https://ubuntu101.co.za/
24 | - Fail2Ban: http://www.fail2ban.org/wiki/index.php/Main_Page
25 | - [Changelog](https://github.com/mitchellkrogza/Fail2Ban-Blacklist-JAIL-for-Repeat-Offenders-with-Perma-Extended-Banning/blob/master/CHANGELOG.md)
26 |
27 | # SETUP INSTRUCTIONS:
28 |
29 | - **STEP 1:** requires blacklist.conf in /etc/fail2ban/filter.d folder
30 |
31 | `cd /etc/fail2ban/filter.d`
32 |
33 | `sudo wget https://raw.githubusercontent.com/mitchellkrogza/Fail2Ban-Blacklist-JAIL-for-Repeat-Offenders-with-Perma-Extended-Banning/master/filter.d/blacklist.conf -O blacklist.conf`
34 |
35 | - **STEP 2:** requires blacklist.conf in /etc/fail2ban/action.d folder
36 |
37 | `cd /etc/fail2ban/action.d`
38 |
39 | `sudo wget https://raw.githubusercontent.com/mitchellkrogza/Fail2Ban-Blacklist-JAIL-for-Repeat-Offenders-with-Perma-Extended-Banning/master/action.d/blacklist.conf -O blacklist.conf`
40 |
41 | - **STEP 3:** requires jail settings called [blacklist]
42 |
43 | `sudo nano /etc/fail2ban/jail.local`
44 |
45 | add this to the bottom of the file
46 |
47 | ```
48 | [DEFAULT]
49 | port = 0:65535
50 | filter = %(__name__)s
51 |
52 | [blacklist]
53 | enabled = true
54 | logpath = /var/log/fail2ban.*
55 | filter = blacklist
56 | banaction = blacklist
57 | bantime = 31536000 ; 1 year
58 | findtime = 31536000 ; 1 year
59 | maxretry = 10
60 | ```
61 |
62 | :exclamation: To stop all email notifications of bans, especially after a server reboot, add the jail as follows:
63 |
64 | ```
65 | [DEFAULT]
66 | port = 0:65535
67 | filter = %(__name__)s
68 |
69 | [blacklist]
70 | enabled = true
71 | logpath = /var/log/fail2ban.*
72 | filter = blacklist
73 | banaction = blacklist
74 | action = %(action_)s
75 | bantime = 31536000 ; 1 year
76 | findtime = 31536000 ; 1 year
77 | maxretry = 10
78 | ```
79 |
80 | - **STEP 4:** requires ip.blacklist file in /etc/fail2ban
81 |
82 | create the file
83 |
84 | `sudo touch /etc/fail2ban/ip.blacklist`
85 |
86 | make the file writable
87 |
88 | `sudo chmod 755 /etc/fail2ban/ip.blacklist`
89 |
90 | - **STEP 5:** recidive filter must be disabled (do not run both at same time)
91 |
92 | ###Drawbacks:
93 |
94 | Only works with IPTables
95 |
96 | ###Based on:
97 |
98 | the Recidive Jail from Fail2Ban (do not run both at same time please)
99 |
100 | ### How it works / Concepts:
101 |
102 | This jail monitors all your Fail2Ban log files including any rotated
103 | log files because the log file location setting in the jail is wild-carded
104 |
105 | It requires an action.d file called blacklist.conf in your /etc/fail2ban/action.d folder
106 | It requires an filter.d file called blacklist.conf in your /etc/fail2ban/filter.d folder
107 | It requires the jail [blacklist] settings in your jail.local file
108 |
109 | In my jail settings I have set a
110 | findtime of 1 year (31536000 seconds)
111 | bantime of 1 year (31536000 seconds)
112 | maxretry of 10 attempts
113 |
114 | This means Fail2Ban will scan through it's log files over a full year's period.
115 | If it finds the same attack pattern, let's say an SSH attack for instance, from the
116 | same IP address on 10 different occasions anywhere within 1 year, that IP address
117 | is then regarded as a repeat offender and can very well be blacklisted for the 1 year
118 | period or even forever.
119 |
120 | This is done through a very simple text based file called ip.blacklist
121 | Follow the Setup Instructions Above
122 |
123 | ### The Startup Action:
124 |
125 | The startup action checks the existing ip.blacklist file for any duplicates and
126 | automatically removes them. It also sorts the file into numbered order which makes
127 | looking through the file later a breeze. The startup action then adds all IP's contained
128 | in the blacklist file into your IPTables with a DROP command. This happens every time
129 | Fail2Ban starts or even after a server reboot. This means this truly works across reboots
130 | unlike other repeat offender jails out there.
131 |
132 | It also effectively deals with any chance of duplicates.
133 | A really simple sort commandline used to sort and clear the file of dupes.
134 |
135 | ### The Ban Action:
136 |
137 | The ban action takes a new IP address which was found to match our rules and writes this
138 | new entry into the ip.blacklist file and it then adds this new IP to the IPTables rules and the
139 | new repeat offender is immediately blocked with a DROP command.
140 |
141 | ### The UnBan Action:
142 |
143 | The unban action removes the IP address from the ip.blacklist file and deletes the
144 | IPTables firewall entry. If the same offending IP address comes back and tries an attack
145 | again even just once, he will probably satisfy the 1 year rule again and will be blocked
146 | again for another entire year. A really simple sed commandline used to delete the IP entry
147 | from the ip.blocklist file.
148 |
149 | #### Other Comments:
150 |
151 | Some may think this is harsh but if someone really tries 10 times they must be banned
152 | it's as simple as that.
153 |
154 | If a rogue IP address really has not been dealt with by the network manager of the company
155 | owning the IP address (in an entire year), then it's unlikely they will ever deal with it
156 | or simply are being hacked to death themselves and don't even know how to stop it.
157 |
158 | Then it is time to even consider using -1 as your bantime so these BAD IP's are blocked forever.
159 |
160 | I based this on the recidive filter which comes with Fail2Ban but I found this a better
161 | method at making sure bans are persistent across reboots and it's fool proof. It's also very
162 | fast and does not slow down Fail2Ban whatsoever.
163 |
164 | It is suggested to also modify your Fail2Ban log rotation settings to have logrotate
165 | retain Fail2Ban logs for at least 13 months. (see below for logrotate settings for Fail2Ban)
166 |
167 | It has only been tested on the 0.91 version of Fail2Ban on Ubuntu 16.04 but it should work perfectly
168 | for any previous versions too but there is no guarantee of this until I can test myself.
169 |
170 | If you are new to Fail2Ban go read my tutorial at
171 | https://ubuntu101.co.za/security/fail2ban/fail2ban-persistent-bans-ubuntu/
172 |
173 | #### LogRotate Settings for Fail2Ban:
174 |
175 | edit this file at /etc/logrotate.d/fail2ban
176 |
177 | This is set to rotate the log file monthly and delete any log files older than
178 | 13 months, assuring you, you always have a full 1 year of log's to reference for
179 | Repeat Offenders
180 |
181 | ```
182 | /var/log/fail2ban.log {
183 | monthly
184 | rotate 13
185 | compress
186 | delaycompress
187 | missingok
188 | notifempty
189 | postrotate
190 | fail2ban-client flushlogs 1>/dev/null
191 | endscript
192 | create 640 root adm
193 | }
194 | ```
195 |
196 | #### Some Good Advice For You:
197 |
198 | In my time working with Fail2Ban I have had to rely on many forums for help and guidance
199 | with problems I ran into. Almost every time I found out my problems were all merely syntax
200 | related problems in my jail.local file so ALWAYS make sure your syntax is correct by starting
201 | the fail2ban client as follows after you have made ANY modifications to your jail.local file.
202 | sudo fail2ban-client -vvv -x start
203 | This will give you a verbose output for debugging purposes.
204 |
205 | Finally and please pay attention to this. I have seen a lot of people on forums who have
206 | had problems getting Fail2Ban to work properly receiving advice from strangers telling them
207 | to do silly things like disabling Ubuntu's SELinux / AppArmor module. This really is bad advice
208 | because I can assure you Fail2Ban works 100% perfectly with Apparmor / SELinux in it's default
209 | unmodified state.
210 |
211 | Don't place yourself in a situation of going through the effort of installing Fail2Ban for
212 | added security measures while at the same time disabling other security measures.
213 |
214 | #### A Personal Comment on Country Blocking:
215 |
216 | Be careful of following advice of blocking entire country IP blocks.
217 | It's just in my opinion a really bad network practice to block an entire country simply because
218 | one or two networks are badly managed.
219 |
220 | You may be hosting web sites for clients who are losing potential business from other countries
221 | simply because you have set rules to prevent that entire country from even seeing their web site
222 | or reaching your server.
223 |
224 | Fail2Ban and this custom Jail will work perfectly for you at dealing with individual repeat offender
225 | IP addresses and dealing with them permanently.
226 |
227 | If you really must block an entire country, make sure you are 100% aware of the implications.
228 |
229 | If someone really wants to hack your servers though, they will just jump to another country
230 | .... and another ..... and another .... and another ..... are you going to block the entire world
231 | eventually?
232 |
233 | ## Disclaimer:
234 |
235 | This software comes with no warranty of any sort and you use this at your own risk.
236 | The author will not be held responsible for any failures through the use of this software
237 | add on for the popular Fail2Ban plugin.
238 |
239 | This plugin / custom jail for Fail2Ban is also NOT official, it is customised by myself
240 | for my own server environment and I have made it available on Github as open source
241 | software.
242 |
243 | While this software has been thoroughly tested on the server environment and software
244 | versions listed in this readme file, the author can not offer any guarantee that it will
245 | work on your server.
246 |
247 | The most common reason should this not work for you is that your file permissions have
248 | been fiddled with or your server has been modified in other non-standard ways.
249 | Fail2Ban requires root access to all it's files and folders.
250 |
251 | ## Free to Use - Free to Change:
252 |
253 | This is open source software and 100% free to use.
254 | You can modify it to your liking if you don't like the way I have done something,
255 | but if you break it you fix it yourself. This workign and tested version is truly all
256 | you should ever need.
257 |
258 | ## Issues:
259 |
260 | Feel free to log any issues using the issue logging system here on GitHub. I will do my
261 | best to help you if I can find any free time to do so.
262 |
263 | ### Thanks to all the really good folks out there who contribute to Fail2Ban and who write add ons and modules for it.
264 |
265 | [](https://ko-fi.com/mitchellkrog)
266 |
--------------------------------------------------------------------------------
/action.d/blacklist.conf:
--------------------------------------------------------------------------------
1 | # /etc/fail2ban/action.d/blacklist.conf
2 | # Fail2Ban Blacklist for Repeat Offenders (action.d)
3 | #
4 | # Author: Mitchell Krog
5 | # Version: 1.1
6 | # GitHub: https://github.com/mitchellkrogza/Fail2Ban-Blacklist-JAIL-for-Repeat-Offenders-with-Perma-Extended-Banning
7 | # Tested On: 0.8.13
8 | # Server: Debian Jessie 8.1
9 | # Firewall: IPTables
10 | #
11 | # Dependancies: requires blacklist.conf in /etc/fail2ban/filter.d folder
12 | # requires jail settings called [blacklist]
13 | # requires ip.blacklist file in /etc/fail2ban
14 | # create with sudo touch /etc/fail2ban/ip.blacklist
15 | #
16 | # Drawbacks: Only works with IPTables
17 | #
18 | # Based on: the Recidive Jail from Fail2Ban
19 | #
20 | # This custom action requires a custom jail in your
21 | # jail.local file for Fail2Ban
22 | #
23 | # Your jail file would be configured as follows
24 | #
25 | # [blacklist]
26 | # enabled = true
27 | # logpath = /var/log/fail2ban.*
28 | # filter = blacklist
29 | # banaction = blacklist
30 | # bantime = 31536000 ; 1 year
31 | # findtime = 31536000 ; 1 year
32 | # maxretry = 10
33 | #
34 |
35 | [INCLUDES]
36 | before = iptables-common.conf
37 |
38 |
39 | [Definition]
40 | # Option: actionstart
41 | # Notes.: command executed once at the start of Fail2Ban.
42 | # Values: CMD
43 | #
44 |
45 | actionstart = iptables -N f2b-
46 | iptables -A f2b- -j RETURN
47 | iptables -I -p -j f2b-
48 | # Sort and Check for Duplicate IPs in our text file and Remove Them
49 | sort -u /etc/fail2ban/ip.blacklist -o /etc/fail2ban/ip.blacklist
50 | # Persistent banning of IPs reading from our ip.blacklist text file
51 | # and adding them to IPTables on our jail startup command
52 | cat /etc/fail2ban/ip.blacklist | while read IP; do iptables -I f2b- 1 -s $IP -j DROP; done
53 |
54 | # Option: actionstop
55 | # Notes.: command executed once at the end of Fail2Ban
56 | # Values: CMD
57 | #
58 |
59 | actionstop = iptables -D -p -j f2b-
60 | iptables -F f2b-
61 | iptables -X f2b-
62 |
63 | # Option: actioncheck
64 | # Notes.: command executed once before each actionban command
65 | # Values: CMD
66 | #
67 |
68 | actioncheck = iptables -n -L | grep -q 'f2b-[ \t]'
69 |
70 | # Option: actionban
71 | # Notes.: command executed when banning an IP. Take care that the
72 | # command is executed with Fail2Ban user rights.
73 | # Tags: See jail.conf(5) man page
74 | # Values: CMD
75 | #
76 |
77 | actionban = iptables -I f2b- 1 -s -j DROP
78 | # Add the new IP ban to our ip.blacklist file
79 | echo '' >> /etc/fail2ban/ip.blacklist
80 | # I don't want reporting on any badboys service
81 | # curl http://www.badips.com/add/badbots//
82 |
83 | # Option: actionunban
84 | # Notes.: command executed when unbanning an IP. Take care that the
85 | # command is executed with Fail2Ban user rights.
86 | # Tags: See jail.conf(5) man page
87 | # Values: CMD
88 | #
89 | actionunban = iptables -D f2b- -s -j DROP
90 | # Remove IP from our ip.blacklist file
91 | sed -i -e '//d' /etc/fail2ban/ip.blacklist
92 |
93 | [Init]
94 |
95 |
--------------------------------------------------------------------------------
/filter.d/blacklist.conf:
--------------------------------------------------------------------------------
1 | # /etc/fail2ban/filter.d/blacklist.conf
2 | # Fail2Ban Blacklist for Repeat Offenders (filter.d)
3 | #
4 | # Author: Mitchell Krog
5 | # Version: 1.1
6 | # GitHub: https://github.com/mitchellkrogza/Fail2Ban-Blacklist-JAIL-for-Repeat-Offenders-with-Perma-Extended-Banning
7 | # Tested On: Fail2Ban 0.91
8 | # Server: Ubuntu 16.04
9 | # Firewall: IPTables
10 | #
11 | # Dependancies: requires blacklist.conf in /etc/fail2ban/action.d folder
12 | # requires jail settings called [blacklist]
13 | # requires ip.blacklist file in /etc/fail2ban
14 | # create with sudo touch /etc/fail2ban/ip.blacklist
15 | #
16 | # Drawbacks: Only works with IPTables
17 | #
18 | # Based on: the Recidive Jail from Fail2Ban
19 | #
20 | # This filter based on the recidive filter, monitors the fail2ban log file,
21 | # and enables you to add long time bans for ip addresses that get banned
22 | # by fail2ban multiple times.
23 | #
24 | # Reasons to use this: Block persistent attackers for very long periods of time.
25 | # Controlled through a simple ip.blocklist text file
26 | #
27 | # Only works with IPTables
28 | # Your settings for this custom jail [blacklist] in jail.conf should have higher
29 | # 'findtime' and 'bantime' parameters set to a higher value than all the other jails.
30 | #
31 | # This custom action requires a custom jail in your
32 | # jail.local file for Fail2Ban
33 | #
34 | # Your jail file would be configured as follows
35 | #
36 | # [blacklist]
37 | # enabled = true
38 | # logpath = /var/log/fail2ban.*
39 | # filter = blacklist
40 | # banaction = blacklist
41 | # bantime = 31536000 ; 1 year
42 | # findtime = 31536000 ; 1 year
43 | # maxretry = 10
44 | #
45 |
46 |
47 | [INCLUDES]
48 |
49 | # Read common prefixes. If any customizations available -- read them from
50 | # common.local
51 | before = common.conf
52 |
53 | [Definition]
54 |
55 | _daemon = fail2ban\.actions\s*
56 |
57 | # The name of the jail that this filter is used for. In jail.conf, name the
58 | # jail using this filter 'blacklist', or change this line!
59 | _jailname = blacklist
60 |
61 | failregex = ^(%(__prefix_line)s| %(_daemon)s%(__pid_re)s?:\s+)NOTICE\s+\[(?!%(_jailname)s\])(?:.*)\]\s+Ban\s+\s*$
62 | ignoreregex =
63 |
64 | [Init]
65 |
66 | journalmatch = _SYSTEMD_UNIT=fail2ban.service PRIORITY=5
67 |
68 | # Author: Mitchell Krog
--------------------------------------------------------------------------------
/jail.local:
--------------------------------------------------------------------------------
1 | # Refork version jail.local for oldstable fail2ban 0.8.13 Debian 8.1 "Jessie"
2 | #
3 | # Custom BlackList Jail Settings to add to your
4 | # jail.local file at the end
5 | # requires an action.d and filter.d conf file available at
6 | # GitHub: https://github.com/mitchellkrogza/Fail2Ban-Blacklist-JAIL-for-Repeat-Offenders-with-Perma-Extended-Banning
7 | #
8 |
9 | [DEFAULT]
10 | port = 0:65535
11 | filter = %(__name__)s
12 |
13 | [blacklist]
14 | enabled = true
15 | logpath = /var/log/fail2ban.*
16 | filter = blacklist
17 | banaction = blacklist
18 | bantime = 31536000 ; 1 year
19 | findtime = 31536000 ; 1 year
20 | maxretry = 10
21 |
22 | #
23 | # bantime, findtime and maxretry can be modified
24 | # to your liking
25 | # make sure though that these values are set higher
26 | # than your other jails
27 | # log file location is wile-carded to ensure even .log.gz files
28 | # are read by Fail2Ban
29 | #
30 | #
--------------------------------------------------------------------------------