Access control using Fail2Ban and geoip

From munkjensen.net/wiki
Revision as of 10:19, 27 May 2017 by Admin (talk | contribs) (→‎Files)

Geolookup

In order to do a geolookup from the command line, we have to get the GeoIP binary and database installed.

apt-get install geoip-bin geoip-database

Test it: geoiplookup 159.20.6.38 should give you GeoIP Country Edition: DK, Denmark

Fail2Ban

I assume Fail2ban is already installed and configured.

Create an action script: sudo vi /etc/fail2ban/action.d/hostsdeny-geoip.conf

[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = 

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = 

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = 

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights. 
#          Excludes PH|Philippines from banning.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = IP=<ip> &&
            COUNTRY=$(geoiplookup $IP | egrep "<country_list>") && [ "$COUNTRY" ] || 
            (printf %%b "<daemon_list>: $IP\n" >> <file>)

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionunban = IP=<ip> && sed -i.old /ALL:\ $IP/d <file>

[Init]

# Option:  country_list
# Notes.:  List of exempted countries separated by pipe "|"
# Values:  STR  Default:  
#
country_list = DK|Denmark

# Option:  file
# Notes.:  hosts.deny file path.
# Values:  STR  Default:  /etc/hosts.deny
#
file = /etc/hosts.deny

# Option:  daemon_list
# Notes:   The list of services that this action will deny. See the man page
#          for hosts.deny/hosts_access. Default is all services.
# Values:  STR  Default: ALL
daemon_list = ALL

This script will ban all ip's except if it is located in a country that is mentioned in the 'country_list' line.

Enable it by editing sudo vi /etc/fail2ban/jail.local

[DEFAULT]
maxretry = 3
bantime  = 900
destemail = fm@localhost
banaction = hostsdeny-geoip

[sshd-ddos]
enabled = true

[pihole-geoip]
enabled  = false
port     = domain,53
protocol = udp
# banaction =
filter   = pihole-geoip
logpath  = /var/log/pihole.log

Files

/etc/fail2ban/
     ├── action.d/
     │   └── hostsdeny-geoip.conf
     ├── fail2ban.conf
     ├── fail2ban.local
     ├── filter.d/
     │   └── pihole-geoip.conf
     ├── jail.conf
     └── jail.local

Reference