8

I have a fail2ban instance that works well.

But I also like to occasionally examine the logs manually and try to ID system probes that are working around my standard f2b definitions.

What I'm looking for is how I can define a jail that will last an extended period of time that I can manually use in a command like this:

fail2ban-client set $JAIL banip $IP

Can someone give me the syntax to specify a custom jail in the config file that isn't really triggered from log files (or it could be a standard jail that has some condition that might not make it actually trigger), that I can use in a manual statement? What I want to do is have a much longer ban time for manual bannings that I identify personally while looking through logs.

Jeff Schaller
  • 66,199
  • 35
  • 114
  • 250
Trent Three
  • 321
  • 3
  • 4

2 Answers2

9

Here's how I did this..

I added this to jail.local:

[manban]
enabled  = true
filter   = manban
action   = iptables[name=HTTP, port="80,443,110,995,25,465,143,585,993,587,21,22", protocol=tcp]
logpath  = /var/log/manban.log
maxretry = 1
# 1 month
bantime  = 2592000
findtime = 3600

Then I added the file /etc/fail2ban/filter.d/manban.conf:

[Definition]
failregex = ^\[\w{1,3}.\w{1,3}.\d{1,2}.\d{1,2}:\d{1,2}:\d{1,2} \d{1,4}. \[error] \[client.<HOST>].File does not exist:.{1,40}roundcube.{1,200}
ignoreregex =

I copied the filter protocol of another filter but point it to a file that doesn't exist, then I created a dummy file:

touch /var/log/manban.log

then run the command:

fail2ban-client reload

Now to manually ban an IP address for one month, type:

fail2ban-client set manban banip <IP>

This did the trick.

There are clients now that "learn" your fail2ban bantime, and will automatically adjust their system probes to not get banned. But when you look at the logs, it's obvious these are system probes. You can mess up their systems by creating extraordinary long ban times. You could also write a script that could dump IPs matching a certain criteria to your special ban log and have fail2ban ban them for an extended period of time.

Trent Three
  • 321
  • 3
  • 4
2

I was getting error with the configuration above:

iptables v1.6.0: invalid port/service 80,443,110,995,25,465,143 specified.

In case to apply iptables on multiple ports the action should be iptables-multiport: 

[manban]
enabled  = true
filter   = manban
action   = iptables-multiport[name=HTTP, port="80,443,110,995,25,465,220,585,587,8000,9600", protocol=tcp]
logpath  = /var/log/manban.log
maxretry = 1
# 1 month
bantime  = 2592000
findtime = 3600

this configuration works and properly updates the iptables rule set.

Evhz
  • 137
  • 8