Block IP for ever!  [SOLVED]

Which features are you missing? Tell us about it.
Post Reply
Tony20
Posts: 45
Joined: Tue 7. Apr 2020, 19:21

Block IP for ever!

Post by Tony20 »

Hello, It would be nice to be enable to permanent ban the IPs on the Fail2Ban Management list
If you are try to break in, I don't want you ever!
User avatar
Alexander
Keyweb AG
Posts: 3810
Joined: Wed 20. Jan 2016, 02:23

Re: Block IP for ever!  [SOLVED]

Post by Alexander »

Hello,

IPs may change and they could belong to a trusted user 1 month later, for example.

As an alternative, you may want to have a look into the keyhelp-recidive Fail2Ban Jail.
This jail is preconfigured by KeyHelp but currently not enabled by default.

Check out this file:

Code: Select all

/etc/fail2ban/jail.d/keyhelp.local
Scroll down to [keyhelp-recidive] and change "enabled = false" to "enabled = true". You can also set a higher bantime if you wish.
Please also note the warning text above!

After that, you need to restart fail2ban.

Code: Select all

service fail2ban restart
And from that moment, the jail and banned IPs should be displayed within the KeyHelp Fail2Ban UI.

(Also in the mentioned file above, there are some other Jails you may want to try out by enabling them.)
Mit freundlichen Grüßen / Best regards
Alexander Mahr

**************************************************************
Keyweb AG - Die Hosting Marke
Neuwerkstr. 45/46, 99084 Erfurt / Germany
http://www.keyweb.de - http://www.keyhelp.de
**************************************************************
User avatar
technotravel
KeyHelp Translator
Posts: 263
Joined: Mon 19. Oct 2020, 11:11

Re: Block IP for ever!

Post by technotravel »

Alexander wrote: Mon 4. Jul 2022, 14:45

Code: Select all

/etc/fail2ban/jail.d/keyhelp.local
Scroll down to [keyhelp-recidive]
In my file, there is only:

Code: Select all

[keyhelp-phpmyadmin]
enabled  = true
port     = http,https
filter   = keyhelp-phpmyadmin
logpath  = /var/log/auth.log
maxretry = 6
Hence no [keyhelp-recidive], and also no other sections :o

Is it possible, that my fail2ban is outdated, KH-wise? How could I bring it up to date?

And another question: I need to add a jail for asterisk, and have created a file for it in /etc/fail2ban/jail.d/ based on the instructions of Fail2ban, however the jail doesn't show up in the Panel (I had restarted fail2ban of course). Do I need to do anything else?
Chers francophones, je traduis KeyHelp en français. S'il y a des erreurs ou des propositions d'amélioration, n'hésitez pas à me contacter !
(Ich übersetze KeyHelp ins Französische)
tab-kh
Posts: 450
Joined: Thu 22. Apr 2021, 23:06

Re: Block IP for ever!

Post by tab-kh »

My file looks like that:
My server has a Debian 11 system installed, but I guess it should also work on other systems.

Code: Select all

# Created by KeyHelp.
#
# DO NOT CHANGE ANYTHING IN THIS FILE,
# CHANGES WILL BE LOST ON NEXT UPDATE!


# Web server

[keyhelp-apache]
enabled  = false
port     = http,https
filter   = apache-auth
logpath  = /home/users/*/logs/*error.log
maxretry = 10


# Mail server

[keyhelp-postfix]
enabled  = false
port     = smtp,ssmtp,smtps,submission,submissions
filter   = postfix
logpath  = /var/log/mail.log
maxretry = 6

[keyhelp-dovecot]
enabled  = false
port     = pop3,pop3s,imap,imaps,submission,submissions,sieve
filter   = dovecot
logpath  = /var/log/mail.log
maxretry = 12


# FTP server

[keyhelp-proftpd]
enabled  = false
port     = ftp,ftp-data,ftps,ftps-data
filter   = proftpd
logpath  = /var/log/proftpd/proftpd.log
maxretry = 6


# Tools

[keyhelp-phpmyadmin]
enabled  = true
port     = http,https
filter   = keyhelp-phpmyadmin
logpath  = /var/log/auth.log
maxretry = 6

[keyhelp-roundcube]
enabled  = false
port     = http,https
filter   = roundcube-auth
logpath  = /home/keyhelp/www/roundcube/logs/errors.log
maxretry = 6


# Misc

# !!! WARNING !!!
# Make sure that your loglevel specified in fail2ban.conf/.local
# is not at DEBUG level -- which might then cause fail2ban to fall into
# an infinite loop constantly feeding itself with non-informative lines
[keyhelp-recidive]
enabled  = false
filter   = recidive
logpath  = /var/log/fail2ban.log
action   = iptables-allports[name=recidive]
maxretry = 5
bantime  = 1w
findtime = 1d
root@mail01:~#
User avatar
technotravel
KeyHelp Translator
Posts: 263
Joined: Mon 19. Oct 2020, 11:11

Re: Block IP for ever!

Post by technotravel »

Thanks for that!

My server is also on Debian 11 (upgraded from 10 by KH-script). Strange also that this file "survived" the recent KH-update, since it is prone to be overwritten by updates ...

I'll try the settings from your file.
Chers francophones, je traduis KeyHelp en français. S'il y a des erreurs ou des propositions d'amélioration, n'hésitez pas à me contacter !
(Ich übersetze KeyHelp ins Französische)
tab-kh
Posts: 450
Joined: Thu 22. Apr 2021, 23:06

Re: Block IP for ever!

Post by tab-kh »

This is the "original" keyhelp.local file, I never changed anything in it, so you will have to enable the jails you want to use.
User avatar
technotravel
KeyHelp Translator
Posts: 263
Joined: Mon 19. Oct 2020, 11:11

Re: Block IP for ever!

Post by technotravel »

Ja, ist klar - ich habe sie alle (außer keyhelp-recidive) aktiviert, Ergebnis im Panel: 0 - so soll es sein :D

Dann habe ich in /etc/fail2ban/jail.d/keyhelp.local noch eine Sektion für asterisk hinzugefügt, und auch das hat funktioniert :lol:

Dieses eine scriptkiddy, das irgendwie meinen geänderten SIP-port rausgefunden hat, wird nun auch von fail2ban geblockt. Nicht, dass ich da größere Sorgen gehabt hätte, aber ein request pro Sekunde müllte mir einfach das log zu, daher musste da etwas geschehen :evil: über 20MB Log täglich ist nur unnötig ...

Alles gut - Danke! :mrgreen:

Edit: Oops - wrote in German, hope that's ok for this thread ...
Chers francophones, je traduis KeyHelp en français. S'il y a des erreurs ou des propositions d'amélioration, n'hésitez pas à me contacter !
(Ich übersetze KeyHelp ins Französische)
Post Reply