Currently I have been using iptables on a new Debian server running Asterisk.
Every day I have been checking auth.log for IP addresses and manually doing iptables -A INPUT -s IPA.DRE.SS.0/24 -j DROP
I was initially doing just IP addresses but many hits were coming from similar IP addresses so /24 has been working better, I have used /16 a couple of times.
Already I have hundreds of iptables entries and this is getting out of control! I know there must be an easier way to do this.
fail2ban has been recommended to me but it seems it blocks IPs only temporarily after a certain # of attempts.
The two main intrusion attempts I see are using false usernames and random ports.
Is it possible to, if an attempt is made to login with any username I am not currently using, to automatically permanently block the IP address? Same with ports that are not in use?
I also see a lot like this:
Did not receive identification string from (malicious IP) port 48334
I'd like to ban those IPs too.
I won't automatically block incorrect login attempts as if I fat-finger the password that could lock me out. But perhaps a permanent ban on an IP after 3 attempts will suffice.
Can I do this with iptables? I haven't found anything regarding "permanent bans" that work like this, it seems it just works more in the moment.
I'd more or less like to accomplish what I've been doing manually; permanently blocking IP ranges after a single wrong username login, a single wrong port connection, or 3 incorrect login attempts (with correct username). I'm hoping this will prevent auth.log from getting spammed.
Best Answer
fail2ban
can be configured for permanent bans by settingbantine
to-1
In
jail.conf
These will be lost on a reboot, but that's not necessarily a bad thing because so many attempts will be transient from pwned home machines in a botnet...
If you want persistence, then https://arno0x0x.wordpress.com/2015/12/30/fail2ban-permanent-persistent-bans/ may give some guidance.
Essentially modifying the
fail2ban
config to create a persistent configuration file of all the banned IPs, and have iptables load this list on reboot...So if you check your default
jail.conf
you may find the default action isiptables-multiport
. This corresponds to the configuration file/etc/fail2ban/ction.d/iptables-multiport.conf
We can add the following entries:
Now, when
fail2ban
flags an entry it will add a line to/etc/fail2ban/persistent.bans
(via theactionban
configuration). Whenfail2ban
starts up it callsactionstart
which reads this file and builds theiptables
rules necessary.Of course,
fail2ban
needs restarting after any of the configuration files are changed.All credit to "arno0x0x" and his wordpress site for this recipe.