It would be great if fail2ban had the ability to query DNS Blackhole
Lists (DNSBLs) for the IP addresses appearing in suspicious log
messages, and to use the presence of an address in a DNSBL as an
indication that it should be banned right away, rather than waiting
until the predetermined number of suspicious log messages shows up
before banning an address.
This would cut off attacks from a single address much faster, but more
than that, it would address the fact that nowadays attacks are often
spread across many IP addresses in a botnet, rather than all coming from
one or a small number of addresses.
I dig around a bit to see if anyone had written anything like this for
fail2ban, and I couldn't find anything. The closest I was able to find
was code for making fail2ban add banned IP addresses /to/ a DNSBL, not
for querying DNSBLs to see if addresses are already in them.
If in fact someone has already implemented the functionality I'm looking
for and my Google-fu just wasn't good enough to find it, then please
feel free to clue me in.
I suppose I could have added this functionality to fail2ban myself, but
you know what it's like to work on somebody else's code when you'd
rather just write your own, so I hacked together a separate daemon that
monitors log files for suspicious IPs, queries DNSBLs, and adds listed
IPs to /etc/hosts.deny automatically. Here's my write-up about it, which
has a link to the code:
https://blog.kamens.us/2017/04/08/adding-malicious-ips-in-dnsbls-to-hosts-deny-automatically/
Who knows, maybe this will be useful to someone else besides me. Please
let me know if you find it so.
jik
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
