User:Hannes Röst/fail2ban

From Wikibooks, open books for an open world
Jump to: navigation, search

Fail2Ban is a software that uses iptables to ban IP addresses that behave badly.

FAQ[edit]

How to block mediawiki break-in attempts[edit]

Use this plugin and the code here:

How to create a custom filter[edit]

see below question "How can I ban all IPs that are banned often" for an example

How can I ban all IPs that are banned often[edit]

The idea here is to use the fail2ban log itself to ban IPs that have been banned often. The article above is somewhat outdated and we can make the following changes

# /etc/fail2ban/jail.conf
 
# 3 times banned in six hours => 24h ban
[Fail2BanFilter]
enabled = true
filter = fail2banfilter
action  = iptables-allports[name=f2bfilter, protocol=tcp]
logpath = /var/log/fail2ban.log
maxretry = 3
findtime = 21600
bantime  = 86400

To enable this, we need to create a file called fail2banfilter.conf (make sure that this matches what you write above in the filter parameter).

# /etc/fail2ban/filter.d/fail2banfilter.conf
[Definition]
failregex = WARNING .* Ban <HOST>

Resources[edit]