Access control using Fail2Ban and geoip: Difference between revisions

From munkjensen.net/wiki
No edit summary
No edit summary
Line 10: Line 10:
should give you  
should give you  
<code>GeoIP Country Edition: US, United States</code>
<code>GeoIP Country Edition: US, United States</code>
=== Fail2Ban ===
I assume Fail2ban is already installed and configured.
Create an action script:
<code>sudo vi /etc/fail2ban/action.d/geohostsdeny.conf</code>
[Definition]
# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart =
# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop =
# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck =
# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
#          Excludes PH|Philippines from banning.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = IP=<ip> &&
            COUNTRY=$(geoiplookup $IP | egrep "<country_list>") && [ "$COUNTRY" ] ||
            (printf %%b "<daemon_list>: $IP\n" >> <file>)
# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionunban = IP=<ip> && sed -i.old /ALL:\ $IP/d <file>
[Init]
# Option:  country_list
# Notes.:  List of exempted countries separated by pipe "|"
# Values:  STR  Default: 
#
country_list = PH|Philippines
# Option:  file
# Notes.:  hosts.deny file path.
# Values:  STR  Default:  /etc/hosts.deny
#
file = /etc/hosts.deny
# Option:  daemon_list
# Notes:  The list of services that this action will deny. See the man page
#          for hosts.deny/hosts_access. Default is all services.
# Values:  STR  Default: ALL
daemon_list = ALL
== Reference ==
* http://kbeezie.com/geoiplookup-command-line/
* https://www.webfoobar.com/node/54

Revision as of 12:19, 26 May 2017

Geolookup

In order to do a geolookup from the command line, we have to get the GeoIP binary and database installed.

apt-get install geoip-bin geoip-database

Test it: geoiplookup 8.8.8.8 should give you GeoIP Country Edition: US, United States

Fail2Ban

I assume Fail2ban is already installed and configured.

Create an action script: sudo vi /etc/fail2ban/action.d/geohostsdeny.conf

[Definition]

  1. Option: actionstart
  2. Notes.: command executed once at the start of Fail2Ban.
  3. Values: CMD

actionstart =

  1. Option: actionstop
  2. Notes.: command executed once at the end of Fail2Ban
  3. Values: CMD

actionstop =

  1. Option: actioncheck
  2. Notes.: command executed once before each actionban command
  3. Values: CMD

actioncheck =

  1. Option: actionban
  2. Notes.: command executed when banning an IP. Take care that the
  3. command is executed with Fail2Ban user rights.
  4. Excludes PH|Philippines from banning.
  5. Tags: See jail.conf(5) man page
  6. Values: CMD

actionban = IP=<ip> &&

           COUNTRY=$(geoiplookup $IP | egrep "<country_list>") && [ "$COUNTRY" ] || 
           (printf %%b "<daemon_list>: $IP\n" >> <file>)
  1. Option: actionunban
  2. Notes.: command executed when unbanning an IP. Take care that the
  3. command is executed with Fail2Ban user rights.
  4. Tags: See jail.conf(5) man page
  5. Values: CMD

actionunban = IP=<ip> && sed -i.old /ALL:\ $IP/d <file>

[Init]

  1. Option: country_list
  2. Notes.: List of exempted countries separated by pipe "|"
  3. Values: STR Default:

country_list = PH|Philippines

  1. Option: file
  2. Notes.: hosts.deny file path.
  3. Values: STR Default: /etc/hosts.deny

file = /etc/hosts.deny

  1. Option: daemon_list
  2. Notes: The list of services that this action will deny. See the man page
  3. for hosts.deny/hosts_access. Default is all services.
  4. Values: STR Default: ALL

daemon_list = ALL


Reference