On 08/10/2021 16:41, Robert Kudyba wrote:
I've noticed that I have a number of slow distributed attacks
happening on my server which evade fail2ban by using a pool of IP
addresses.
I've been looking at the sqlite db and it looks like the data field
in the bips table can have all the data I need to have a
supplemental script which runs periodically and looks for a
"threshold number" of failed logins over a time period against the
same account and bans all IPs that tried. I've already instrumented
my filters with the <f-user> tags so that the account name is
available in the JSON data.
Has anyone tried this? I only started looking at fail2ban a few days
ago. Are there any holes in the approach I'm suggesting?
F2B has an open request for IP ranges/CIDR:
https://github.com/fail2ban/fail2ban/issues/927
<https://github.com/fail2ban/fail2ban/issues/927>
Banning a fixed subnet mask every time is quite easy with ipset. I have
an /etc/fail2ban/action.d/iptables-ipset-proto6-subnet.conf like:
[root@server ~]# egrep -v '^(#|$)'
/etc/fail2ban/action.d/iptables-ipset-proto6-subnet.conf
[INCLUDES]
before = iptables-common.conf
[Definition]
actionstart = ipset create <ipmset> hash:net timeout
<default-timeout><familyopt>
<iptables> -I <chain> -p <protocol> -m multiport --dports
<port> -m set --match-set <ipmset> src -j <blocktype>
actionflush = ipset flush <ipmset>
actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports
<port> -m set --match-set <ipmset> src -j <blocktype>
<actionflush>
ipset destroy <ipmset>
actionban = ipset add <ipmset> <ip>/24 timeout <bantime> -exist
actionprolong = %(actionban)s
actionunban = ipset del <ipmset> <ip> -exist
[Init]
default-timeout = 600
ipmset = f2b-<name>
familyopt =
[Init?family=inet6]
ipmset = f2b-<name>6
familyopt = <sp>family inet6
Regards,
Nick
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
