On 13/07/2021 19:25, James Moe via Fail2ban-users wrote:
On 7/13/21 12:34 AM, Tom Hendrikx wrote:
Please post full configuration if you're not sure what to look for. I
have no idea what 'suricata' is though
Suricata is an Intrusion Detection/Prevention Software.
Suricata is a Snort alternative. If it is anything like Snort, it can be
configured to be inside or outside the firewall. In ClearOS, it is
outside the firewall but I assume for other distros it is user configurable.
If it is outside the firewall (i.e. between the firewall and the
internet), then f2b blocks will not stop suricata from triggering, and
so you will continually see "already banned" messages. Can Suricata be
configured to set up its own firewall rules like snort/snortsam can? If
so, it would be better than using f2b.
----[ jail ]----
[suricata-1]
enabled = true
logpath = /data01/var/log/suricata/fast.log
datepattern = %%m/%%d/%%Y-%%H:%%M:%%S
#
bantime = 12w
maxretry = 1
findtime = 3w
action = iptables[name=sri-1, port="53", protocol=udp]
----[ end ]----
----[ filter ]----
[Definition]
__suricata-1_actions = (?:dropping|refusing)
#
Sample
# 08/01/2020-09:50:43.513215 [Drop] [**] [1:2030555:1] ET INFO Outbound RRSIG
DNS Query Observed [**] [Classification: Potentially Bad Traffic] [Priority: 2]
{UDP} 192.168.69.246:53 -> 72.196.10.7:30903
# 10/05/2020-09:27:35.208728 [Drop] [**] [1:2009702:5] ET POLICY DNS Update
From External net [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {UDP} 2.57.122.98:42312 -> 192.168.69.246:53
#
failregex = ^.*\[1\:2016016\:.*\].*? \{UDP\} <HOST>\:.*?
^.*\[1\:2101616\:.*\].*? \{UDP\} <HOST>\:.*?
^.*\[1\:2009702\:.*\].*? \{UDP\} <HOST>\:.*?
^.*\[1\:2030555\:.*\].*? \{UDP\}.*\-\> <HOST>\:.*?
ignoreregex =
datepattern = %%m/%%d/%%Y-%%H:%%M:%%S
----[ end ]----
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
