↑ Top
Kaai24
dev studios
| Sign in | DE EN

Fail2Ban

Autoblock IP addresses which fail to login


If you run any kind of public accessible server someone will try to get access to this server in some way. A very popular solution to this problem is to auto block these IP addresses (using IPTables).

Install on Debian

This can be done with the fail2ban package. So install it with

apt install fail2ban

Config

You will get a default config file but it is better to harden it up. So do the following

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Set these values in /etc/fail2ban/jail.local to your likes:

...
# "bantime" is the number of seconds that a host is banned.
bantime  = 10800

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 300

# "maxretry" is the number of failures before a host get banned.
maxretry = 3
...

This results in a rule: 3 fails in 300 seconds: 10800 seconds/3 hours ban. You can try 2 passwords within 5 min. 1 more will block you for 3 hours and you can have max 24 fails per 24 hours.

Then keep it running for a day. It writes its log files to /var/log/fail2ban.log. To get a summary which networks are the worst for you use

zgrep -h "Ban " /var/log/fail2ban.log* | awk '{print $NF}' | awk -F\. '{print $1"."$2"."}' | sort | uniq -c  | sort -n

Permanent rules*

If you want to block some network permanently use (where 222.186.0.0/16 is the matching network of course) (-A = add, -D = delete)

iptables -A INPUT -s 222.186.0.0/16 -j REJECT

And display our config with

iptables -L -n

*but iptables rules will be lost after a reboot. A real permanent config will follow soon.

These IPs are the most offensive ones

These are the IP ranges that tried to hack us the most (not sorted but everyone over 300 tries)

(Edited 22-02-20)

Comments