Block IP for ever! [SOLVED]

[Tony20]

Hello, It would be nice to be enable to permanent ban the IPs on the Fail2Ban Management list
If you are try to break in, I don't want you ever!

[Alexander]

Hello,

IPs may change and they could belong to a trusted user 1 month later, for example.

As an alternative, you may want to have a look into the keyhelp-recidive Fail2Ban Jail.
This jail is preconfigured by KeyHelp but currently not enabled by default.

Check out this file:

Code: Select all

/etc/fail2ban/jail.d/keyhelp.local

Scroll down to [keyhelp-recidive] and change "enabled = false" to "enabled = true". You can also set a higher bantime if you wish.
Please also note the warning text above!

After that, you need to restart fail2ban.

Code: Select all

service fail2ban restart

And from that moment, the jail and banned IPs should be displayed within the KeyHelp Fail2Ban UI.

(Also in the mentioned file above, there are some other Jails you may want to try out by enabling them.)

[technotravel]

Code: Select all

/etc/fail2ban/jail.d/keyhelp.local

Scroll down to [keyhelp-recidive]

In my file, there is only:

Code: Select all

[keyhelp-phpmyadmin]
enabled  = true
port     = http,https
filter   = keyhelp-phpmyadmin
logpath  = /var/log/auth.log
maxretry = 6

Hence no [keyhelp-recidive], and also no other sections

Is it possible, that my fail2ban is outdated, KH-wise? How could I bring it up to date?

And another question: I need to add a jail for asterisk, and have created a file for it in /etc/fail2ban/jail.d/ based on the instructions of Fail2ban, however the jail doesn't show up in the Panel (I had restarted fail2ban of course). Do I need to do anything else?

[tab-kh]

My file looks like that:
My server has a Debian 11 system installed, but I guess it should also work on other systems.

Code: Select all

# Created by KeyHelp.
#
# DO NOT CHANGE ANYTHING IN THIS FILE,
# CHANGES WILL BE LOST ON NEXT UPDATE!


# Web server

[keyhelp-apache]
enabled  = false
port     = http,https
filter   = apache-auth
logpath  = /home/users/*/logs/*error.log
maxretry = 10


# Mail server

[keyhelp-postfix]
enabled  = false
port     = smtp,ssmtp,smtps,submission,submissions
filter   = postfix
logpath  = /var/log/mail.log
maxretry = 6

[keyhelp-dovecot]
enabled  = false
port     = pop3,pop3s,imap,imaps,submission,submissions,sieve
filter   = dovecot
logpath  = /var/log/mail.log
maxretry = 12


# FTP server

[keyhelp-proftpd]
enabled  = false
port     = ftp,ftp-data,ftps,ftps-data
filter   = proftpd
logpath  = /var/log/proftpd/proftpd.log
maxretry = 6


# Tools

[keyhelp-phpmyadmin]
enabled  = true
port     = http,https
filter   = keyhelp-phpmyadmin
logpath  = /var/log/auth.log
maxretry = 6

[keyhelp-roundcube]
enabled  = false
port     = http,https
filter   = roundcube-auth
logpath  = /home/keyhelp/www/roundcube/logs/errors.log
maxretry = 6


# Misc

# !!! WARNING !!!
# Make sure that your loglevel specified in fail2ban.conf/.local
# is not at DEBUG level -- which might then cause fail2ban to fall into
# an infinite loop constantly feeding itself with non-informative lines
[keyhelp-recidive]
enabled  = false
filter   = recidive
logpath  = /var/log/fail2ban.log
action   = iptables-allports[name=recidive]
maxretry = 5
bantime  = 1w
findtime = 1d
root@mail01:~#

[technotravel]

Thanks for that!

My server is also on Debian 11 (upgraded from 10 by KH-script). Strange also that this file "survived" the recent KH-update, since it is prone to be overwritten by updates ...

I'll try the settings from your file.

[tab-kh]

This is the "original" keyhelp.local file, I never changed anything in it, so you will have to enable the jails you want to use.

[technotravel]

Ja, ist klar - ich habe sie alle (außer keyhelp-recidive) aktiviert, Ergebnis im Panel: 0 - so soll es sein

Dann habe ich in /etc/fail2ban/jail.d/keyhelp.local noch eine Sektion für asterisk hinzugefügt, und auch das hat funktioniert

Dieses eine scriptkiddy, das irgendwie meinen geänderten SIP-port rausgefunden hat, wird nun auch von fail2ban geblockt. Nicht, dass ich da größere Sorgen gehabt hätte, aber ein request pro Sekunde müllte mir einfach das log zu, daher musste da etwas geschehen über 20MB Log täglich ist nur unnötig ...

Alles gut - Danke!

Edit: Oops - wrote in German, hope that's ok for this thread ...