Access control using Fail2Ban and geoip
Preface
This 'guide' explains how to block DNS requests from anywhere in the world but Denmark. Ofcourse you can change that so another country is allowed... or even a selection of countries ;-)
It uses the file hosts.deny at the moment... iptables might be better... we will see if i care to change it later :-P
Geolookup
In order to do a geolookup from the command line, we have to get the GeoIP binary and database installed.
apt-get install geoip-bin geoip-database
Test it:
geoiplookup 159.20.6.38
should give you
GeoIP Country Edition: DK, Denmark
Fail2Ban
I assume Fail2ban is already installed and configured.
Create a filter script:
sudo vi /etc/fail2ban/filter.d/pihole-geoip.conf
[Definition] # Fail2Ban filter file for pihole. # # This filter blocks attacks against named (bind9) however it requires special # configuration on bind. # # This will filter all 'query' requests. failregex = query\[.*<HOST>$ # This wil filter all 'query[ANY]' requests. #failregex = query\[ANY\].*<HOST>$ # # Author: [email protected]
Create an action script:
sudo vi /etc/fail2ban/action.d/hostsdeny-geoip.conf
[Definition] # This script will ban all ip's except if it is located in a country that is mentioned in the 'country_list' line. # # Option: actionstart # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # actionstart = # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # actionstop = # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # actioncheck = # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Excludes PH|Philippines from banning. # Tags: See jail.conf(5) man page # Values: CMD # actionban = IP=<ip> && COUNTRY=$(geoiplookup $IP | egrep "<country_list>") && [ "$COUNTRY" ] || (printf %%b "<daemon_list>: $IP\n" >> <file>) # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionunban = IP=<ip> && sed -i.old /ALL:\ $IP/d <file> [Init] # Option: country_list # Notes.: List of exempted countries separated by pipe "|" # Values: STR Default: # country_list = DK|Denmark # Option: file # Notes.: hosts.deny file path. # Values: STR Default: /etc/hosts.deny # file = /etc/hosts.deny # Option: daemon_list # Notes: The list of services that this action will deny. See the man page # for hosts.deny/hosts_access. Default is all services. # Values: STR Default: ALL daemon_list = ALL
Enable it by editing
sudo vi /etc/fail2ban/jail.local
[DEFAULT] maxretry = 3 bantime = 900 destemail = fm@localhost banaction = hostsdeny-geoip [sshd-ddos] enabled = true [pihole-geoip] enabled = false port = domain,53 protocol = udp # banaction = filter = pihole-geoip logpath = /var/log/pihole.log
Restart Fail2Ban like this sudo service fail2ban restart
Hopefully it restarts without any errors ;-)
Files
This is the file/folder structure for Fail2Ban. I edited / created the files marked with an §
/etc/fail2ban/ ├── action.d/ │ └── hostsdeny-geoip.conf § ├── fail2ban.conf ├── filter.d/ │ └── pihole-geoip.conf § ├── jail.conf └── jail.local §