Access control using Fail2Ban and geoip

From munkjensen.net/wiki
Revision as of 12:19, 26 May 2017 by Admin (talk | contribs)

Geolookup

In order to do a geolookup from the command line, we have to get the GeoIP binary and database installed.

apt-get install geoip-bin geoip-database

Test it: geoiplookup 8.8.8.8 should give you GeoIP Country Edition: US, United States

Fail2Ban

I assume Fail2ban is already installed and configured.

Create an action script: sudo vi /etc/fail2ban/action.d/geohostsdeny.conf

[Definition]

  1. Option: actionstart
  2. Notes.: command executed once at the start of Fail2Ban.
  3. Values: CMD

actionstart =

  1. Option: actionstop
  2. Notes.: command executed once at the end of Fail2Ban
  3. Values: CMD

actionstop =

  1. Option: actioncheck
  2. Notes.: command executed once before each actionban command
  3. Values: CMD

actioncheck =

  1. Option: actionban
  2. Notes.: command executed when banning an IP. Take care that the
  3. command is executed with Fail2Ban user rights.
  4. Excludes PH|Philippines from banning.
  5. Tags: See jail.conf(5) man page
  6. Values: CMD

actionban = IP=<ip> &&

           COUNTRY=$(geoiplookup $IP | egrep "<country_list>") && [ "$COUNTRY" ] || 
           (printf %%b "<daemon_list>: $IP\n" >> <file>)
  1. Option: actionunban
  2. Notes.: command executed when unbanning an IP. Take care that the
  3. command is executed with Fail2Ban user rights.
  4. Tags: See jail.conf(5) man page
  5. Values: CMD

actionunban = IP=<ip> && sed -i.old /ALL:\ $IP/d <file>

[Init]

  1. Option: country_list
  2. Notes.: List of exempted countries separated by pipe "|"
  3. Values: STR Default:

country_list = PH|Philippines

  1. Option: file
  2. Notes.: hosts.deny file path.
  3. Values: STR Default: /etc/hosts.deny

file = /etc/hosts.deny

  1. Option: daemon_list
  2. Notes: The list of services that this action will deny. See the man page
  3. for hosts.deny/hosts_access. Default is all services.
  4. Values: STR Default: ALL

daemon_list = ALL


Reference