>
>
> From: Jonathan Kamens <j...@kamens.us>
> Subject: [Fail2ban-users] Integrating fail2ban with DNSBLs
> To: fail2ban-users@lists.sourceforge.net
> Message-ID: <3cf7a49c-ad79-7bb8-969e-59b4aa8ad...@kamens.us>
> Content-Type: text/plain; charset="utf-8"
>
> It would be great if fail2ban had the ability to query DNS Blackhole
> Lists (DNSBLs) for the IP addresses appearing in suspicious log
> messages, and to use the presence of an address in a DNSBL as an
> indication that it should be banned right away, rather than waiting
> until the predetermined number of suspicious log messages shows up
> before banning an address.
>
> This would cut off attacks from a single address much faster, but more
> than that, it would address the fact that nowadays attacks are often
> spread across many IP addresses in a botnet, rather than all coming from
> one or a small number of addresses.
>
> I dig around a bit to see if anyone had written anything like this for
> fail2ban, and I couldn't find anything. The closest I was able to find
> was code for making fail2ban add banned IP addresses /to/ a DNSBL, not
> for querying DNSBLs to see if addresses are already in them.
>
> If in fact someone has already implemented the functionality I'm looking
> for and my Google-fu just wasn't good enough to find it, then please
> feel free to clue me in.
>
> I suppose I could have added this functionality to fail2ban myself, but
> you know what it's like to work on somebody else's code when you'd
> rather just write your own, so I hacked together a separate daemon that
> monitors log files for suspicious IPs, queries DNSBLs, and adds listed
> IPs to /etc/hosts.deny automatically. Here's my write-up about it, which
> has a link to the code:
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__blog.
> kamens.us_2017_04_08_adding-2Dmalicious-2Dips-2Din-
> 2Ddnsbls-2Dto-2Dhosts-2Ddeny-2Dautomatically_&d=DwICAg&c=
> aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_
> qVtR3lLNo4tOL1ry_m7-psV3GejY&m=kRnSPz4J3v0qQ-
> PI8nyjSigA3re0pEOerK7Lx7No3WQ&s=J-axr3YZ-qbdumAEjFB7uqPenXr_
> ScXTuyvat0o01tM&e=
>
> Who knows, maybe this will be useful to someone else besides me. Please
> let me know if you find it so.
>
> Great idea! Do you know if it would work with/in conjunction with the
f2b-badips-to-hostsdeny.sh script and not overwrite what it writes to in
the /etc/hosts.deny file?
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
