Sharing of fail2ban banned IPs

fail2ban

I'm using fail2ban on all servers with publicly visible services and I wonder:

Is there an easy way to share banned IPs between hosts I control?
Is there a service out there collecting and publishing that data?

I've been getting countless login attempts since day 1 of setting up this server.

Best Answer

I once saw a system for centralizing fail2ban data on this site, and created a modified version. The database is the same, bu I changed and created some scripts.

My system have 4 components:

fail2ban database

It's a MySQL database containing only one table: erp_core_fail2ban:

CREATE TABLE IF NOT EXISTS 'erp_core_fail2ban' (
  'id' bigint(20) unsigned NOT NULL AUTO_INCREMENT,
  'hostname' varchar(255) COLLATE utf8_unicode_ci DEFAULT NULL,
  'created' datetime NOT NULL,
  'name' text COLLATE utf8_unicode_ci NOT NULL,
  'protocol' varchar(16) COLLATE utf8_unicode_ci NOT NULL,
  'port' varchar(32) COLLATE utf8_unicode_ci NOT NULL,
  'ip' varchar(64) COLLATE utf8_unicode_ci NOT NULL,
  PRIMARY KEY ('id'),
  KEY 'hostname' ('hostname','ip')
) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;

fail2ban.php

Every time a host is banned, it will populate the database:


<?php
require_once("/etc/fail2ban/phpconfig.php");

$name = $_SERVER["argv"][1];
$protocol = $_SERVER["argv"][2];
$port = $_SERVER["argv"][3];
if (!preg_match('/^\d{1,5}$/', $port))
    $port = getservbyname($_SERVER["argv"][3], $protocol);
$ip = $_SERVER["argv"][4];

$hostname = gethostname();

$query = "INSERT INTO 'erp_core_fail2ban' set hostname='" . addslashes($hostname) . "', name='" . addslashes($name) ."', protocol='" . addslashes($protocol) . "', port='" . addslashes($port) . "', ip='" . addslashes($ip) . "', created=NOW()";
$result = mysql_query($query) or die('Query failed: ' . mysql_error());
mysql_close($link);
exit;
?>

cron2ban

You put this to run on crontab, every minute. It will retrieve the last added hosts, and ban them.


<?php
// phpconfig.php will have database configuration settings
require_once("/etc/fail2ban/phpconfig.php");

// file with only a line, containing the last id banned
$lastbanfile="/etc/fail2ban/lastban";

$lastban = file_get_contents($lastbanfile);

// select only hosts banned after last check
$sql = "select id, ip from erp_core_fail2ban where id > $lastban";
$result = mysql_query($sql) or die('Query failed: ' . mysql_error());
mysql_close($link);

while ($row = mysql_fetch_array($result)) {
        //
        $id = $row['id'];
        $ip = $row['ip'];

    exec("fail2ban-client set $jail banip $ip");


}

// $id contains the last banned host, add it to the config file
file_put_contents($lastbanfile, $id);
?>

phpconfig

This file goes to /etc/fail2ban and have database configuration and jail selection.


<?php
// jail to be used
$jail = "ssh";

// file to keep the last ban
$lastbanfile="/etc/fail2ban/lastban";

// database configuration
$dbserver="localhost";
$dbuser="root";
$dbpass="root";
$dbname="fail2ban";

// connect to database
$link = mysql_connect($dbserver, $dbuser, $dbpass) or die('Could not connect: ' . mysql_error());
mysql_select_db($dbname) or die('Could not select database');

?>

Create those files and change the configuration from fail2ban:

After the line with actionban = ..... a new row inserted to invoke the PHP script:

/root/fail2ban.php <name> <protocol> <port> <ip>

Using this structure on all your servers will assure that every time one host gets banned on one server, all the other servers will ban it too.

Related Solutions

Fail2Ban – How to Unban an IP Properly

With Fail2Ban before v0.8.8:

fail2ban-client get YOURJAILNAMEHERE actionunban IPADDRESSHERE

With Fail2Ban v0.8.8 and later:

fail2ban-client set YOURJAILNAMEHERE unbanip IPADDRESSHERE

The hard part is finding the right jail:

Use iptables -L -n to find the rule name...
...then use fail2ban-client status | grep "Jail list" | sed -E 's/^[^:]+:[ \t]+//' | sed 's/,//g' to get the actual jail names. The rule name and jail name may not be the same but it should be clear which one is related to which.

Iptables – Fail2Ban: already banned

The recidive jail recommended in the other answer here did not fix the issue for me. I eventually fixed this, however, so here's my method in case it helps others.

Fail2ban only blocks over TCP by default. At least with my setup, I noticed the "already banned" message was appearing when bots came back to try the blocked port over UDP instead.

To fix this issue, tell Fail2ban to block the port over all protocols instead of just TCP. You will need to make this change in /etc/fail2ban/jail.conf and in the [Init] section of every action you are using at /etc/fail2ban/action.d/.

Change this:

# Default protocol
protocol = tcp

To:

# Default protocol
protocol = all

Next, I disabled ICMP echo requests so blocked IPs had no way of hitting the server:

nano /etc/sysctl.conf

Add these two lines:

net.ipv4.icmp_echo_ignore_all = 1  
net.ipv4.icmp_echo_ignore_broadcasts = 1

Exit and save the file.
Run sysctl -p for the change to take effect.

After that, run fail2ban-client reload and you should not see these "already banned" messages any more unless you are spammed by an IP who gets a couple of access attempts before the block takes effect.

Also, it's important to block all ports for every offender rather than the port they were trying to access by using the action iptables-allports in each of the Jails. Otherwise, they may trigger another Jail and end up as "already banned" in the logs.

Best Answer

Related Solutions

Fail2Ban – How to Unban an IP Properly

Iptables – Fail2Ban: already banned

Related Topic