[Fail2ban-users] Firewalld/ipset ban repeated offenders

[Dave Macias]

Im trying to figure out how to set this up.
I've googled a bit and all i've seen articles using `iptables` which we
dont use. I've also seen that you can use the recidive filter for this but
this too uses iptables :(

Trying to follow this article but adjusting to ipset but nada.
https://wireflare.com/blog/permanently-ban-repeat-offenders-with-fail2ban/

I can see the new jail is being created but no perm ban. i suspect because
they are already banned by the temp ban [sshd2]. Not sure how to fix that

$ ipset list
> Name: fail2ban-repeatoffender
> Type: hash:ip
> Revision: 1
> Header: family inet hashsize 1024 maxelem 65536 timeout 600
> Size in memory: 16528
> References: 1
> Members:
>
> Name: fail2ban-sshd2
> Type: hash:ip
> Revision: 1
> Header: family inet hashsize 1024 maxelem 65536 timeout 86400
> Size in memory: 16656
> References: 1
> Members:
> 49.4.135.88 timeout 86295
> 45.55.228.232 timeout 86305

/etc/fail2ban/jail.d/repeatoffender.local
> [repeatoffender]
>
> enabled  = true
> filter   = repeatoffender
> findtime = 2592000
> logpath  = /var/log/fail2ban*
> maxretry = 3
> bantime  = -1
> action   = repeatoffender[name=repeatoffender]

/etc/fail2ban/filter.d/repeatoffender.conf
> [INCLUDES]
> before = common.conf
> [Definition]
> failregex = ^%(__prefix_line)sfail2ban.actions\s+\[(?:.*)\]\s+Ban\s+<HOST>
> ignoreregex =

/etc/fail2ban/action.d/repeatoffender.conf
> [INCLUDES]
> before = iptables-common.conf
> [Definition]
> actionstart = ipset create fail2ban-<name> hash:ip timeout <bantime>
>               firewall-cmd --direct --add-rule ipv4 filter <chain> 0 -p
<protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name>
src -j <blocktype>
>               FILE=/etc/fail2ban/ip.blocklist.<name>
>               cat /etc/fail2ban/ip.blocklist.<name> | while read IP; do
ipset add fail2ban-<name> <ip> timeout <bantime> -exist; done
> actionstop = firewall-cmd --direct --remove-rule ipv4 filter <chain> 0 -p
<protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name>
src -j <blocktype>
>              ipset flush fail2ban-<name>
>              ipset destroy fail2ban-<name>
> actionban = VERIFY="<ip>"
>             ADD="<ip>        # fail2ban/$( date '+%%Y-%%m-%%d %%T' ):
Permanent-Banned"
>             FILE=/etc/fail2ban/ip.blocklist.<name>
>             grep -q "$VERIFY" "$FILE" || ipset add fail2ban-<name> <ip>
timeout <bantime> -exist
>             grep -q "$VERIFY" "$FILE" || echo "$ADD" >> "$FILE"
> actionunban =
> [Init]
> chain = INPUT_direct
> bantime = 600



any input is appreciated

thank you,
dave

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users