Access control using Fail2Ban and geoip: Difference between revisions

From munkjensen.net/wiki
No edit summary
Line 84: Line 84:
This script will ban all ip's except if it is located in a country that is mentioned in the 'country_list' line.
This script will ban all ip's except if it is located in a country that is mentioned in the 'country_list' line.


Enable it by editing
<blockquote>
<code>sudo vi /etc/fail2ban/jail.local</code>
<div class="toccolours mw-collapsible mw-collapsed">
Enable it by editing <pre>sudo vi /etc/fail2ban/jail.local</pre>
<div class="mw-collapsible-content">
<syntaxhighlight lang="xml" line><pre>[DEFAULT]
maxretry = 3
bantime  = 900
destemail = fm@localhost
#banaction = geohostsdeny


Add <code>banaction = geohostsdeny</code>
[sshd-ddos]
enabled = true


[pihole-geoip]
enabled  = false
port    = domain,53
protocol = udp
# banaction =
filter  = pihole-geoip
logpath  = /var/log/pihole.log</pre>
</syntaxhighlight>
</div>
</div>
</blockquote>


=== Files ===
=== Files ===

Revision as of 10:14, 27 May 2017

Geolookup

In order to do a geolookup from the command line, we have to get the GeoIP binary and database installed.

apt-get install geoip-bin geoip-database

Test it: geoiplookup 159.20.6.38 should give you GeoIP Country Edition: DK, Denmark

Fail2Ban

I assume Fail2ban is already installed and configured.

Create an action script: sudo vi /etc/fail2ban/action.d/hostsdeny-geoip.conf

[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = 

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = 

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = 

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights. 
#          Excludes PH|Philippines from banning.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = IP=<ip> &&
            COUNTRY=$(geoiplookup $IP | egrep "<country_list>") && [ "$COUNTRY" ] || 
            (printf %%b "<daemon_list>: $IP\n" >> <file>)

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionunban = IP=<ip> && sed -i.old /ALL:\ $IP/d <file>

[Init]

# Option:  country_list
# Notes.:  List of exempted countries separated by pipe "|"
# Values:  STR  Default:  
#
country_list = DK|Denmark

# Option:  file
# Notes.:  hosts.deny file path.
# Values:  STR  Default:  /etc/hosts.deny
#
file = /etc/hosts.deny

# Option:  daemon_list
# Notes:   The list of services that this action will deny. See the man page
#          for hosts.deny/hosts_access. Default is all services.
# Values:  STR  Default: ALL
daemon_list = ALL

This script will ban all ip's except if it is located in a country that is mentioned in the 'country_list' line.

Enable it by editing
sudo vi /etc/fail2ban/jail.local
<pre>[DEFAULT]
maxretry = 3
bantime  = 900
destemail = fm@localhost
#banaction = geohostsdeny

[sshd-ddos]
enabled = true

[pihole-geoip]
enabled  = false
port     = domain,53
protocol = udp
# banaction =
filter   = pihole-geoip
logpath  = /var/log/pihole.log</pre>

Files

/etc/fail2ban/
├── action.d/
│   └── hostsdeny-geoip.conf
├── fail2ban.conf
├── fail2ban.local
├── filter.d/
│   └── pihole-geoip.conf
├── jail.conf
└── jail.local


Reference