Access control using Fail2Ban and geoip: Difference between revisions
| Line 146: | Line 146: | ||
Restart Fail2Ban like this <code>sudo service fail2ban restart</code> | Restart Fail2Ban like this <code>sudo service fail2ban restart</code> | ||
Hopefully it restarts without any errors... if you get errors in /var/log/fail2ban try to dum the config using the command <code> | Hopefully it restarts without any errors... if you get errors in /var/log/fail2ban try to dum the config using the command <code>fail2ban-client -d</code> and hunt the bugs using this info. | ||
==== Files ==== | ==== Files ==== | ||
Revision as of 11:59, 27 May 2017
Preface
This 'guide' explains how to block DNS requests to my Pi-Hole from anywhere in the world but Denmark. Ofcourse you can change that so another country is allowed... or even a selection of countries ;-)
It uses the file hosts.deny at the moment... iptables might be better... we will see if i care to change it later :-P
Geolookup
In order to do a geolookup from the command line, we have to get the GeoIP binary and database installed.
apt-get install geoip-bin geoip-database
Test it:
geoiplookup 159.20.6.38
should give you
GeoIP Country Edition: DK, Denmark
Fail2Ban
I assume Fail2ban is already installed and configured.
Create a filter script:
sudo vi /etc/fail2ban/filter.d/pihole-geoip.conf[Definition] # Fail2Ban filter file for pihole. # # This filter blocks attacks against named (bind9) however it requires special # configuration on bind. # # This will filter all 'query' requests. failregex = query\[.*<HOST>$ # This wil filter all 'query[ANY]' requests. #failregex = query\[ANY\].*<HOST>$ # # Author: [email protected]
Create an action script:
sudo vi /etc/fail2ban/action.d/hostsdeny-geoip.conf[Definition] # This script will ban all ip's except if it is located in a country that is mentioned in the 'country_list' line. # # Option: actionstart # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # actionstart = # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # actionstop = # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # actioncheck = # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Excludes PH|Philippines from banning. # Tags: See jail.conf(5) man page # Values: CMD # actionban = IP=<ip> && COUNTRY=$(geoiplookup $IP | egrep "<country_list>") && [ "$COUNTRY" ] || (printf %%b "<daemon_list>: $IP\n" >> <file>) # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionunban = IP=<ip> && sed -i.old /ALL:\ $IP/d <file> [Init] # Option: country_list # Notes.: List of exempted countries separated by pipe "|" # Values: STR Default: # country_list = DK|Denmark # Option: file # Notes.: hosts.deny file path. # Values: STR Default: /etc/hosts.deny # file = /etc/hosts.deny # Option: daemon_list # Notes: The list of services that this action will deny. See the man page # for hosts.deny/hosts_access. Default is all services. # Values: STR Default: ALL daemon_list = ALL
Enable it by editing
sudo vi /etc/fail2ban/jail.local[DEFAULT] maxretry = 3 bantime = 900 destemail = fm@localhost banaction = hostsdeny-geoip [sshd-ddos] enabled = true [pihole-geoip] enabled = false port = domain,53 protocol = udp # banaction = filter = pihole-geoip logpath = /var/log/pihole.log
Restart Fail2Ban like this sudo service fail2ban restart
Hopefully it restarts without any errors... if you get errors in /var/log/fail2ban try to dum the config using the command fail2ban-client -d and hunt the bugs using this info.
Files
This is the file/folder structure for Fail2Ban. I edited / created the files marked with an §
/etc/fail2ban/
├── action.d/
│ └── hostsdeny-geoip.conf §
├── fail2ban.conf
├── filter.d/
│ └── pihole-geoip.conf §
├── jail.conf
└── jail.local §