I have correctly installed fail2ban
in my machine, activating the rules for ssh
, ssh-dos
and recidive
; it all works ok.
Lately, I have seen an increasing patterns of repetitive attacks from different hosts form the same networks, which circumvent the "recidive" rule by switching IP after a ban:
2015-01-25 11:12:11,976 fail2ban.actions: WARNING [ssh] Ban XXX.41.124.29
2015-01-25 11:12:13,165 fail2ban.actions: WARNING [ssh] Ban XXX.41.124.42
2015-01-25 11:12:16,297 fail2ban.actions: WARNING [ssh] Ban XXX.41.124.28
2015-01-25 11:12:20,446 fail2ban.actions: WARNING [ssh] Ban XXX.41.124.104
I would like to detect it and make a "recidive24" rule that blocks all these kind of attacks banning the whole /24
block.
I found a suggestion in the debian bug archive for fail2ban, and I have applied it, but:
-
If I apply the full
/24
ban when thessh
jail is triggered, I have the problem that it is easy from someone on my same network to block me out, by just attacking from ONE IP; -
The
recidive
jail would be perfect, but it is not triggered by the storm changing IPs…
So I would like to change the recidive
filter specification so that it just look at the first three bytes of the IP, but I am at a loss here… the regexp that do the ban is (from /etc/fail2ban/recidive.conf
) is
# The name of the jail that this filter is used for. In jail.conf, name the
# jail using this filter 'recidive', or change this line!
_jailname = recidive
failregex = ^(%(__prefix_line)s|,\d{3} fail2ban.actions:\s+)WARNING\s+\[(?!%(_jailname)s\])(?:.*)\]\s+Ban\s+<HOST>\s*$
…and it will match a complete IP.
The question: How can I change this failregex so that it matches just the first three bytes of the host IP?
Please notice that a problem is not blocking the whole subnet when the spamming IP is detected — this is relatively easy. The problem is triggering a kind of subnet-recidive
when there are, for example, five or more recidive
hits for the same subnetwork…
I though about filtering the fail2ban log file with another daemon and writing a second file where the last byte is 0 every time, and trigger the recidive jail using it, but it seems really clumsy…
Best Answer
Fail2ban doesn't have neat functionality to automatically block attacks from a whole subnet. It is possible to do, though, using a recent version of fail2ban (I use v0.11), some simple fail2ban scripts and a small, pure python3 script.
Note: The question refers to 'a whole subnet' (which I'll refer to as CIDR blocks or IP ranges). This is a difficult thing, because we don't know how large a block of addresses the attacker controls. It might even be that the attacker by chance controls a handful of addresses from the same block, with the in-between addresses being legitimate.
Step 1. Get CIDR of hosts
The log files that fail2ban monitors typically show hosts (e.g. 127.0.0.1) instead of CIDR blocks (127.0.0.0/24) or IP ranges (127.0.0.0 - 127.0.0.255).
A solution could be to first assume a small CIDR block and then grow it as logs report more misbehaving hosts. Obviously it should only grow the CIDR, if those hosts are from adjacent addresses. But this is complex and legitimate addresses might get caught up regardless of the sophistication of the algorithm.
Instead, we can also simply lookup the CIDR in whois. This incurs some latency for the whois lookup, and generates some traffic. But the script that parses whois, can just write the CIDR to syslog, which can then be caught by fail2ban again.
Note: don't forget to hook this script into the actionban of your preferred action.d/lorem-ipsum.conf script. Be aware that if its maxretry > 1, then you will not catch CIDR blocks where hosts only fail once!
Step 2. Figure out when to block a CIDR
If we had the dynamic CIDR determination this might get a little elaborate, as we'd have to change what we're banning. But with the whois lookup we can simply ban the CIDR block we found, based on a maxretry and findtime that we deem appropriate. Here's the jail I use:
And accompanying filter
Step 3. Actually block the CIDR
As you may have noticed, I use action.d/nft-common.conf. nftables allows blocking CIDR blocks instead of single hosts. This requires a small change to the first line of the actionstart part of the action script:
Should be modified to: