Access control using Fail2Ban and geoip: Difference between revisions

Revision as of 13:19, 26 May 2017

Geolookup

In order to do a geolookup from the command line, we have to get the GeoIP binary and database installed.

apt-get install geoip-bin geoip-database

Test it: geoiplookup 8.8.8.8 should give you GeoIP Country Edition: US, United States

Fail2Ban

I assume Fail2ban is already installed and configured.

Create an action script: sudo vi /etc/fail2ban/action.d/geohostsdeny.conf

[Definition]

Option: actionstart
Notes.: command executed once at the start of Fail2Ban.
Values: CMD

actionstart =

Option: actionstop
Notes.: command executed once at the end of Fail2Ban
Values: CMD

actionstop =

Option: actioncheck
Notes.: command executed once before each actionban command
Values: CMD

actioncheck =

Option: actionban
Notes.: command executed when banning an IP. Take care that the
command is executed with Fail2Ban user rights.
Excludes PH|Philippines from banning.
Tags: See jail.conf(5) man page
Values: CMD

actionban = IP=<ip> &&

           COUNTRY=$(geoiplookup $IP | egrep "<country_list>") && [ "$COUNTRY" ] || 
           (printf %%b "<daemon_list>: $IP\n" >> <file>)

Option: actionunban
Notes.: command executed when unbanning an IP. Take care that the
command is executed with Fail2Ban user rights.
Tags: See jail.conf(5) man page
Values: CMD

actionunban = IP=<ip> && sed -i.old /ALL:\ $IP/d <file>

[Init]

Option: country_list
Notes.: List of exempted countries separated by pipe "|"
Values: STR Default:

country_list = PH|Philippines

Option: file
Notes.: hosts.deny file path.
Values: STR Default: /etc/hosts.deny

file = /etc/hosts.deny

Option: daemon_list
Notes: The list of services that this action will deny. See the man page
for hosts.deny/hosts_access. Default is all services.
Values: STR Default: ALL

daemon_list = ALL

Reference

@@ Line 10: / Line 10: @@
 should give you
 <code>GeoIP Country Edition: US, United States</code>
+=== Fail2Ban ===
+I assume Fail2ban is already installed and configured.
+Create an action script:
+<code>sudo vi /etc/fail2ban/action.d/geohostsdeny.conf</code>
+[Definition]
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart =
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop =
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck =
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+#          Excludes PH|Philippines from banning.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionban = IP=<ip> &&
+            COUNTRY=$(geoiplookup $IP | egrep "<country_list>") && [ "$COUNTRY" ] ||
+            (printf %%b "<daemon_list>: $IP\n" >> <file>)
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionunban = IP=<ip> && sed -i.old /ALL:\ $IP/d <file>
+[Init]
+# Option:  country_list
+# Notes.:  List of exempted countries separated by pipe "|"
+# Values:  STR  Default:
+#
+country_list = PH|Philippines
+# Option:  file
+# Notes.:  hosts.deny file path.
+# Values:  STR  Default:  /etc/hosts.deny
+#
+file = /etc/hosts.deny
+# Option:  daemon_list
+# Notes:  The list of services that this action will deny. See the man page
+#          for hosts.deny/hosts_access. Default is all services.
+# Values:  STR  Default: ALL
+daemon_list = ALL
+== Reference ==
+* http://kbeezie.com/geoiplookup-command-line/
+* https://www.webfoobar.com/node/54