if fail2ban fails to ban, when nftables is used to emulate iptables

it’s not entirely nftables‘ fault, fail2ban would need to support it, so if you do not need to block more than 50-100.000 IPs and have a reasonable fast server… it should not slow down with iptables.

CentOS7 uninstall nftables install iptables

CentOS7 replaced firewall iptables with firewalld – iptables vs nftables benchmark performance comparison, scalability when facing DDoS scenarios

list all jails

fail2ban-client status
Status
|- Number of jail:	1
`- Jail list:	sshd

get status:

/scripts/fail2ban_status.sh

echo "===== fail2ban status ====="
JAILS=`fail2ban-client status | grep "Jail list" | sed -E 's/^[^:]+:[ \t]+//' | sed 's/,//g'`
for JAIL in $JAILS
do
  fail2ban-client status $JAIL
done

fail2ban-client status sshd

fail2ban-client status

systemctl status fail2ban

echo "===== iptables status ====="
iptables -S|grep "REJECT"

echo "===== showing all available filters ====="
ll /etc/fail2ban/filter.d/

journalctl -b -u fail2ban

echo "===== fail2ban log ====="
tail /var/log/fail2ban.log

unban this ip:

unban:

/scripts/fail2ban_unban.sh 123.123.123.123

 
#!/bin/bash

echo "====== unbanning:" $1

JAILS=`fail2ban-client status | grep "Jail list" | sed -E 's/^[^:]+:[ \t]+//' | sed 's/,//g'`
for JAIL in $JAILS
do
  fail2ban-client set $JAIL unbanip $1;
done

manually ban an ip:

/scripts/fail2ban_ban.sh 123.123.123.123

#!/bin/bash

echo "====== banning:" $1

JAILS=`fail2ban-client status | grep "Jail list" | sed -E 's/^[^:]+:[ \t]+//' | sed 's/,//g'`
for JAIL in $JAILS
do
  fail2ban-client set $JAIL banip $1;
done

automatically ban by sshd logging to /var/log/secure

think fail2ban is to soft on hosts that try to brute force your password?

run this via hourly cron X-D

this is a small script one put together, which will filter out all „Invalid user“ and „preauth“ from /var/log/secure and ban the ips associated.

#!/bin/bash
# this script will take ssh messages logged to /var/log/secure
# extract two kinds of ips:
# 1) "Invalid user"
# 2) "preauth"
# and block them via fail2ban

# reduce to 
# filter out "Invalid user" and "preauth" and save it to new file
NEWFILE="/var/log/secure_invalid_preauth.log"

cat /var/log/secure | grep -e "Invalid user" -e "preauth" > $NEWFILE

# extract ips
octet='\<(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]?)\>'
ip="$octet\\.$octet\\.$octet\\.$octet"

# also remove duplicates
# save to new file log2
grep -Eo "$ip" $NEWFILE | paste - | uniq > $NEWFILE"2"

# iterate over every line of a file and 
while read line; do
  echo "this was a very bad host, we will ban it now:"
  echo "$line"
  fail2ban-client set sshd banip $line;
done <$NEWFILE"2"
echo "done"

 

how often was jail enforced?

fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed:	1
|  |- Total failed:	1779
|  `- Journal matches:	_SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned:	1
   |- Total banned:	347
   `- Banned IP list:	212.129.140.74

what ip got banned most?

awk '($(NF-1) = /Ban/){print $NF}' /var/log/fail2ban.log | sort | uniq -c | sort -n
      1 125.163.71.XXX
      1 37.75.213.XXX
      1 80.199.0.XXX
      2 151.236.200.XXX
      2 190.85.234.XXX
      4 188.75.155.XXX
      4 190.223.32.XXX
      4 200.105.154.XXX
      6 191.209.9.XXX
     11 78.250.49.XXX
     34 176.223.165.XXX
    133 104.236.146.XXX
    174 103.72.162.XXX
    184 54.37.196.XXX

what subnets got banned most?

zgrep -h "Ban " /var/log/fail2ban.log* | awk '{print $NF}' | awk -F\. '{print $1"."$2"."}' | sort | uniq -c | sort -n | tail

# those subnets got banned most (higher number = more bans)
17 200.105.
21 210.92.
23 27.255.
34 176.223.
93 45.125.
140 104.236.
175 103.72.
184 54.37.
226 200.111.
1190 181.214.

# this e.g. is an ip from malaysia that exceeded fail2ban rules for exim a lot
whois 103.72.162.186
# show ips of the most banned subnet 181.214.
grep -r -i -E --color=auto "181.214." /var/log/fail2ban*;

… i whoised 3 and all were in fail2ban jail for exim-iptables, all were US located and attempts to use this server for spam?

address: 60007 – Chicago – IL
country: US

Links:

https://www.the-art-of-web.com/system/fail2ban-log/

Links:

credits: https://gist.github.com/kamermans/1076290

admin