Fail2Ban IP-Range mit Blackliste blocken

Ich war auf der Suche nach einer Möglichkeit ganze IP-Bereiche mit Fail2Ban zu blocken. Um IP Bereiche blocken zu können ergänzen wir zuerst die jail.local (Debain: /etc/fail2ban/)

jail.local

[ip-blacklist]
enabled   = true
port      = anyport
action = action_ip-blacklist
filter    = filter_ip-blacklist
logpath   = /etc/fail2ban/ip-blacklist
maxretry  = 0
findtime  = 15552000
bantime   = -1

[ip-blacklist24]
enabled   = true
port      = anyport
action    = action_ip-blacklist[mask=24]
filter    = filter_ip-blacklist24
logpath   = /etc/fail2ban/ip-blacklist
maxretry  = 0
findtime  = 15552000
bantime   = -1

[ip-blacklist16]
enabled   = true
port      = anyport
action    = action_ip-blacklist[mask=16]
filter    = filter_ip-blacklist16
logpath   = /etc/fail2ban/ip-blacklist
maxretry  = 0
findtime  = 15552000
bantime   = -1

[ip-blacklist8]
enabled   = true
port      = anyport
action    = action_ip-blacklist[mask=8]
filter    = filter_ip-blacklist8
logpath   = /etc/fail2ban/ip-blacklist
maxretry  = 0
findtime  = 15552000
bantime   = -1

Danach erstellen wir die action Konfiguration (Debain: /etc/fail2ban/action.d/).

action_ip-blacklist.conf

[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = iptables -N fail2ban-<name>
              iptables -A fail2ban-<name> -j RETURN
              iptables -I <chain> -p <protocol> -j fail2ban-<name>

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name>
             iptables -F fail2ban-<name>
             iptables -X fail2ban-<name>

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
actionban = iptables -I fail2ban-<name> 1 -s <ip>/<mask> -j DROP

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
actionunban = iptables -D fail2ban-<name> -s <ip>/<mask> -j DROP

[Init]

# Defaut name of the chain
#
name = default

# Option:  protocol
# Notes.:  internally used by config reader for interpolations.
# Values:  [ tcp | udp | icmp | all ] Default: all
#
protocol = all

# Option:  chain
# Notes    specifies the iptables chain to which the fail2ban rules should be
#          added
# Values:  STRING  Default: INPUT
chain = INPUT

# Option:  mask
# Notes.:  used to ban an address-range by netmask(s) in CIDR notation.
# Values:  [ 32 | 24 | 16 | 8 ] Default: 32
#
mask = 32

Im nächsten Schritt erzeugen wir unsere 4 verschiedenen Filter Konfigurationen für die IP-Bereiche (Debian: /etc/fail2ban/filter.d/).

filter_ip-blacklist.conf

[Definition]

# Option:  failregex
# Notes :  Detection of blocked ip addresses.
# Values:  TEXT
#

failregex = ^<HOST>(/32.*|[^/].*)?$

# Option:  ignoreregex
# Notes :  Regex to ignore.
# Values:  TEXT
#

ignoreregex =

filter_ip-blacklist24.conf

[Definition]

# Option:  failregex
# Notes :  Detection of blocked ip addresses.
# Values:  TEXT
#

failregex = ^<HOST>/24.*$

# Option:  ignoreregex
# Notes :  Regex to ignore.
# Values:  TEXT
#

ignoreregex =

filter_ip-blacklist16.conf

[Definition]

# Option:  failregex
# Notes :  Detection of blocked ip addresses.
# Values:  TEXT
#

failregex = ^<HOST>/16.*$

# Option:  ignoreregex
# Notes :  Regex to ignore.
# Values:  TEXT
#

ignoreregex =

filter_ip-blacklist8.conf

[Definition]

# Option:  failregex
# Notes :  Detection of blocked ip addresses.
# Values:  TEXT
#

failregex = ^<HOST>/8.*$

# Option:  ignoreregex
# Notes :  Regex to ignore.
# Values:  TEXT
#

ignoreregex =

Als letzten Schritt können wir nun unsere Datei mit der Liste der sperrenden IP Adressen erstellen (Debian: /etc/fail2ban/)

ip-blacklist

########################################
#
# Single IP Example:
# 10.10.10.10       [2015-01-01 12:00:00]
# 10.10.10.10/32    [2015-01-01 12:00:00]
#
#########################################
#
# IP Range Options:
# 10.10.10.10/24 = 10.10.10.*
# 10.10.10.10/16 = 10.10.*.*
# 10.10.10.10/8  = 10.*.*.*
#
#########################################
#
# IP Range Examples:
# 10.10.10.10/16    [2015-01-01 12:00:00]
# 10.10.10.10/24    [2015-01-01 12:00:00]
#
#########################################

Zu guter letzt muss Fail2Ban neu geladen werden, immer wenn die Blackliste verändert wird (Debian: /etc/init.d/fail2ban reload).

Das wars, nun können einfach ganze IP-Bereiche (aber auch einzelne IP-Adressen) über die Datei ip-blacklist geblockt werden.

05.02.2015 19:22

Sven's Blog – Die alltäglichen Kostbarkeiten