5

Currently I have been using iptables on a new Debian server running Asterisk.

Every day I have been checking auth.log for IP addresses and manually doing iptables -A INPUT -s IPA.DRE.SS.0/24 -j DROP

I was initially doing just IP addresses but many hits were coming from similar IP addresses so /24 has been working better, I have used /16 a couple of times.

Already I have hundreds of iptables entries and this is getting out of control! I know there must be an easier way to do this.

fail2ban has been recommended to me but it seems it blocks IPs only temporarily after a certain # of attempts.

The two main intrusion attempts I see are using false usernames and random ports.

Is it possible to, if an attempt is made to login with any username I am not currently using, to automatically permanently block the IP address? Same with ports that are not in use?

I also see a lot like this:

Did not receive identification string from (malicious IP) port 48334

I'd like to ban those IPs too.

I won't automatically block incorrect login attempts as if I fat-finger the password that could lock me out. But perhaps a permanent ban on an IP after 3 attempts will suffice.

Can I do this with iptables? I haven't found anything regarding "permanent bans" that work like this, it seems it just works more in the moment.

I'd more or less like to accomplish what I've been doing manually; permanently blocking IP ranges after a single wrong username login, a single wrong port connection, or 3 incorrect login attempts (with correct username). I'm hoping this will prevent auth.log from getting spammed.

Improve this question
3
  • check out honeyd.org/configuration.php ..... maybe the solution is to use a "tarpit" .... the undesirable connection is not refused, but becomes very, very, very slow and in the end does not lead anywhere Commented Dec 30, 2018 at 0:57
  • @Christopher Only a small number of IP addresses are going to be connecting to my machine (hundreds maximum). It's a private Asterisk VoIP server. Commented Dec 30, 2018 at 1:15
  • @Christopher The only caveat is I don't know the IPs and some are changing constantly. Numerically the amount of possible connections is relatively small but I can't do a block-first approach sadly Commented Dec 30, 2018 at 1:39

1 Answer 1

Reset to default
12

fail2ban can be configured for permanent bans by setting bantine to -1

In jail.conf

bantime = -1

These will be lost on a reboot, but that's not necessarily a bad thing because so many attempts will be transient from pwned home machines in a botnet...

If you want persistence, then https://arno0x0x.wordpress.com/2015/12/30/fail2ban-permanent-persistent-bans/ may give some guidance.

Essentially modifying the fail2ban config to create a persistent configuration file of all the banned IPs, and have iptables load this list on reboot...

So if you check your default jail.conf you may find the default action is iptables-multiport. This corresponds to the configuration file /etc/fail2ban/ction.d/iptables-multiport.conf

We can add the following entries:

[Definition] # Option: actionstart # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # actionstart = iptables -N fail2ban-<name> iptables -A fail2ban-<name> -j RETURN iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name> cat /etc/fail2ban/persistent.bans | awk '/^fail2ban-<name>/ {print $2}' \ | while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j <blocktype>; done # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name> iptables -F fail2ban-<name> iptables -X fail2ban-<name> # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]' # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype> echo "fail2ban-<name> <ip>" >> /etc/fail2ban/persistent.bans

Now, when fail2ban flags an entry it will add a line to /etc/fail2ban/persistent.bans (via the actionban configuration). When fail2ban starts up it calls actionstart which reads this file and builds the iptables rules necessary.

Of course, fail2ban needs restarting after any of the configuration files are changed.

All credit to "arno0x0x" and his wordpress site for this recipe.

Improve this answer
2
  • Could the settings be saved, much like iptables-save, and restored on reboot somewhat like iptables-restore? Commented Dec 30, 2018 at 1:14
  • 1
    This gets more complicated and involves modifying the fail2ban config to create a persistent configuration file of all the banned IPs, and have iptables load this list on reboot..... arno0x0x.wordpress.com/2015/12/30/… explains the details. I'm loathe to cut'n'paste that information because it'd be plagarism, and I've not tested it myself. Commented Dec 30, 2018 at 1:18

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.