diff --git a/config/action.d/iptables-ipset-proto4.conf b/config/action.d/iptables-ipset-proto4.conf new file mode 100644 index 00000000..f7d03f67 --- /dev/null +++ b/config/action.d/iptables-ipset-proto4.conf @@ -0,0 +1,71 @@ +# Fail2Ban configuration file +# +# Author: Daniel Black +# +# This is for ipset protocol 4 (ipset v4.2). If you have a later version +# of ipset try to use the iptables-ipset-proto6.conf as it does some things +# nicer. +# +# This requires the program ipset which is normally in package called ipset. +# +# IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels. +# +# If you are running on an older kernel you make need to patch in external +# modules. +# +# On Debian machines this can be done with: +# +# apt-get install ipset xtables-addons-source +# module-assistant auto-install xtables-addons + +[Definition] + +# Option: actionstart +# Notes.: command executed once at the start of Fail2Ban. +# Values: CMD +# +actionstart = ipset --create fail2ban- iphash + iptables -I INPUT -p -m multiport --dports -m set --match-set fail2ban- src -j DROP + +# Option: actionstop +# Notes.: command executed once at the end of Fail2Ban +# Values: CMD +# +actionstop = iptables -D INPUT -p -m multiport --dports -m set --match-set fail2ban- src -j DROP + ipset --flush fail2ban- + ipset --destroy fail2ban- + +# Option: actionban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: IP address +# Values: CMD +# +actionban = ipset --test fail2ban- || ipset --add fail2ban- + +# Option: actionunban +# Notes.: command executed when unbanning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: IP address +# Values: CMD +# +actionunban = ipset --test fail2ban- && ipset --del fail2ban- + +[Init] + +# Defaut name of the ipset +# +name = default + +# Option: port +# Notes.: specifies port to monitor +# Values: [ NUM | STRING ] Default: ssh +# +port = ssh + +# Option: protocol +# Notes.: internally used by config reader for interpolations. +# Values: [ tcp | udp | icmp | all ] Default: tcp +# +protocol = tcp + diff --git a/config/action.d/iptables-ipset-proto6.conf b/config/action.d/iptables-ipset-proto6.conf new file mode 100644 index 00000000..3352d63d --- /dev/null +++ b/config/action.d/iptables-ipset-proto6.conf @@ -0,0 +1,78 @@ +# Fail2Ban configuration file +# +# Author: Daniel Black +# +# This is for ipset protocol 6 (and hopefully later) (ipset v6.14). +# Use ipset -V to see the protocol and version. Version 4 should use +# iptables-ipset-proto4.conf. +# +# This requires the program ipset which is normally in package called ipset. +# +# IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels. +# +# If you are running on an older kernel you make need to patch in external +# modules. +# +# On Debian machines this can be done with: +# +# apt-get install ipset xtables-addons-source +# module-assistant auto-install xtables-addons + +[Definition] + +# Option: actionstart +# Notes.: command executed once at the start of Fail2Ban. +# Values: CMD +# +actionstart = ipset create fail2ban- hash:ip timeout + iptables -I INPUT -p -m multiport --dports -m set --match-set fail2ban- src -j DROP + +# Option: actionstop +# Notes.: command executed once at the end of Fail2Ban +# Values: CMD +# +actionstop = iptables -D INPUT -p -m multiport --dports -m set --match-set fail2ban- src -j DROP + ipset flush fail2ban- + ipset destroy fail2ban- + +# Option: actionban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: IP address +# Values: CMD +# +actionban = ipset add fail2ban- timeout -exist + +# Option: actionunban +# Notes.: command executed when unbanning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: IP address +# Values: CMD +# +actionunban = ipset del fail2ban- -exist + +[Init] + +# Defaut name of the ipset +# +name = default + +# Option: port +# Notes.: specifies port to monitor +# Values: [ NUM | STRING ] Default: ssh +# +port = ssh + +# Option: protocol +# Notes.: internally used by config reader for interpolations. +# Values: [ tcp | udp | icmp | all ] Default: tcp +# +protocol = tcp + +# Option: bantime +# Notes: specifies the bantime in seconds (handled internally rather than by fail2ban) +# Values: [ NUM ] Default: 600 + +bantime = 600 + + diff --git a/config/jail.conf b/config/jail.conf index ff0287a2..3f2425b4 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -101,6 +101,26 @@ action = hostsdeny ignoreregex = for myuser from logpath = /var/log/sshd.log +# Here we use a combination of Netfilter/Iptables and IPsets +# for storing large volumes of banned IPs +# +# IPset comes in two versions. See ipset -V for which one to use +# requires the ipset package and kernel support. +[ssh-iptables-ipset4] + +enabled = false +filter = sshd +action = iptables-ipset-proto4[name=SSH, port=ssh, protocol=tcp] +logpath = /var/log/sshd.log +maxretry = 5 + +[ssh-iptables-ipset6] +enabled = false +filter = sshd +action = iptables-ipset-proto6[name=SSH, port=ssh, protocol=tcp, bantime=600] +logpath = /var/log/sshd.log +maxretry = 5 + # This jail demonstrates the use of wildcards in "logpath". # Moreover, it is possible to give other files on a new line.