How to teach fail2ban to detect and block attacks from a whole network block

fail2ban

I have correctly installed fail2ban in my machine, activating the rules for ssh, ssh-dos and recidive; it all works ok.

Lately, I have seen an increasing patterns of repetitive attacks from different hosts form the same networks, which circumvent the "recidive" rule by switching IP after a ban:

2015-01-25 11:12:11,976 fail2ban.actions: WARNING [ssh] Ban XXX.41.124.29
2015-01-25 11:12:13,165 fail2ban.actions: WARNING [ssh] Ban XXX.41.124.42
2015-01-25 11:12:16,297 fail2ban.actions: WARNING [ssh] Ban XXX.41.124.28
2015-01-25 11:12:20,446 fail2ban.actions: WARNING [ssh] Ban XXX.41.124.104

I would like to detect it and make a "recidive24" rule that blocks all these kind of attacks banning the whole /24 block.

I found a suggestion in the debian bug archive for fail2ban, and I have applied it, but:

If I apply the full /24 ban when the ssh jail is triggered, I have the problem that it is easy from someone on my same network to block me out, by just attacking from ONE IP;
The recidive jail would be perfect, but it is not triggered by the storm changing IPs…

So I would like to change the recidive filter specification so that it just look at the first three bytes of the IP, but I am at a loss here… the regexp that do the ban is (from /etc/fail2ban/recidive.conf) is

# The name of the jail that this filter is used for. In jail.conf, name the 
# jail using this filter 'recidive', or change this line!
_jailname = recidive

failregex = ^(%(__prefix_line)s|,\d{3} fail2ban.actions:\s+)WARNING\s+\[(?!%(_jailname)s\])(?:.*)\]\s+Ban\s+<HOST>\s*$

…and it will match a complete IP.

The question: How can I change this failregex so that it matches just the first three bytes of the host IP?

Please notice that a problem is not blocking the whole subnet when the spamming IP is detected — this is relatively easy. The problem is triggering a kind of subnet-recidive when there are, for example, five or more recidive hits for the same subnetwork…

I though about filtering the fail2ban log file with another daemon and writing a second file where the last byte is 0 every time, and trigger the recidive jail using it, but it seems really clumsy…

Best Answer

Fail2ban doesn't have neat functionality to automatically block attacks from a whole subnet. It is possible to do, though, using a recent version of fail2ban (I use v0.11), some simple fail2ban scripts and a small, pure python3 script.

Note: The question refers to 'a whole subnet' (which I'll refer to as CIDR blocks or IP ranges). This is a difficult thing, because we don't know how large a block of addresses the attacker controls. It might even be that the attacker by chance controls a handful of addresses from the same block, with the in-between addresses being legitimate.

Step 1. Get CIDR of hosts

The log files that fail2ban monitors typically show hosts (e.g. 127.0.0.1) instead of CIDR blocks (127.0.0.0/24) or IP ranges (127.0.0.0 - 127.0.0.255).

A solution could be to first assume a small CIDR block and then grow it as logs report more misbehaving hosts. Obviously it should only grow the CIDR, if those hosts are from adjacent addresses. But this is complex and legitimate addresses might get caught up regardless of the sophistication of the algorithm.

Instead, we can also simply lookup the CIDR in whois. This incurs some latency for the whois lookup, and generates some traffic. But the script that parses whois, can just write the CIDR to syslog, which can then be caught by fail2ban again.

Note: don't forget to hook this script into the actionban of your preferred action.d/lorem-ipsum.conf script. Be aware that if its maxretry > 1, then you will not catch CIDR blocks where hosts only fail once!

#!/usr/bin/python

import sys, subprocess, ipaddress, syslog

def narrowest_cidr(cidrA, cidrB):
    _ip, subA = cidrA.split('/')
    _ip, subB = cidrB.split('/')

    if int(subA) > int(subB):
        return cidrA
    else:
        return cidrB

bad_ip = sys.argv[1]
cidrs = []
inetnums = []
ret = None

whois = subprocess.run(['whois', bad_ip], text=True,
        stdout=subprocess.PIPE, check=True)

for line in whois.stdout.split('\n'):
    if 'CIDR:' in line:
        cidrs.append(line.replace('CIDR:', '').strip())
    if 'inetnum:' in line:
        inetnums.append(line.replace('inetnum:', '').strip())

if len(cidrs) >= 1:
    if len(cidrs) == 1:
        cidr = cidrs[0]
    else:
        cidr = narrowest_cidr(cidrs[0], cidrs[-1])
elif len(inetnums) > 0:
    if len(inetnums) == 1:
        inetnum = inetnums[0]
        startip, endip = inetnum.split(' - ')
        cidrs = [ipaddr for ipaddr in ipaddress.summarize_address_range(ipaddress.IPv4Address(startip), ipaddress.IPv4Address(endip))]
        if len(cidrs) == 1:
            cidr = cidrs[0]
        else:
            cidr = narrowest_cidr(cidrs[0], cidrs[-1])
else:
    cidr = "no CIDR found"

syslog.openlog(ident="suspectrange")
syslog.syslog("{} has CIDR {}".format(bad_ip, cidr))

Step 2. Figure out when to block a CIDR

If we had the dynamic CIDR determination this might get a little elaborate, as we'd have to change what we're banning. But with the whois lookup we can simply ban the CIDR block we found, based on a maxretry and findtime that we deem appropriate. Here's the jail I use:

[fail2ban-cidr-recidive]
filter = fail2ban-cidr-recidive
action = nftables-common[name=BADRANGE]
logpath = /var/log/everything/current

#5 bans in 12hrs is 48hr ban
maxretry = 5
findtime = 12h
bantime = 2d

And accompanying filter

[Definition]

failregex = \[suspectrange\] .* has CIDR <SUBNET>

Step 3. Actually block the CIDR

As you may have noticed, I use action.d/nft-common.conf. nftables allows blocking CIDR blocks instead of single hosts. This requires a small change to the first line of the actionstart part of the action script:

actionstart = nft add set netdev f2b <set_name> \{ type ipv4_addr\; \}

Should be modified to:

actionstart = nft add set netdev f2b <set_name> \{ type ipv4_addr\; flags interval\; \}

Time stamps

Find your statement:

Actually, it can scan files without any time on any line and it will still work.

conflicting with the documentation. What do you mean by work?

The manual#filters (v 0.8) states:

If you're creating your own failregex expressions, here are some things you should know:

[...]

In order for a log line to match your failregex, it actually has to match in two parts: the beginning of the line has to match a timestamp pattern or regex, and the remainder of the line has to match your failregex. If the failregex is anchored with a leading ^, then the anchor refers to the start of the remainder of the line, after the timestamp and intervening whitespace.

The pattern or regex to match the time stamp is currently not documented, and not available for users to read or set. See Debian bug #491253. This is a problem if your log has a timestamp format that fail2ban doesn't expect, since it will then fail to match any lines. Because of this, you should test any new failregex against a sample log line, as in the examples below, to be sure that it will match. If fail2ban doesn't recognize your log timestamp, then you have two options: either reconfigure your daemon to log with a timestamp in a more common format, such as in the example log line above; or file a bug report asking to have your timestamp format included.

Note here that log files can be configured to include time stamps as well as the format of the time stamps. (That include dmesg as mentioned in comment.)

Also see this thread, Message #14 and #19 in particular:

fail2ban: time pattern match is undocumented and unavailable to users

Two examples:

Note that you can also test with commands like:

fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf

1 No time stamp:

$ fail2ban-regex ' [1.2.3.4] authentication failed' '\[<HOST>\] authentication failed'

Running tests
=============

Use   failregex line : \[<HOST>\] authentication failed
Use      single line :  [1.2.3.4] authentication failed


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:

Lines: 1 lines, 0 ignored, 0 matched, 1 missed
|- Missed line(s):
|   [1.2.3.4] authentication failed
`-

2 With time stamp:

$ fail2ban-regex 'Jul 18 12:13:01 [1.2.3.4] authentication failed' '\[<HOST>\] authentication failed'

Running tests
=============

Use   failregex line : \[<HOST>\] authentication failed
Use      single line : Jul 18 12:13:01 [1.2.3.4] authentication failed


Results
=======

Failregex: 1 total
|-  #) [# of hits] regular expression
|   1) [1] \[<HOST>\] authentication failed
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [1] MONTH Day Hour:Minute:Second
`-

Lines: 1 lines, 0 ignored, 1 matched, 0 missed

Scan times

Manual#Reaction time:

It is quite difficult to evaluate the reaction time. Fail2ban waits 1 second before checking for new logs to be scanned. This should be fine in most cases. However, it is possible to get more login failures than specified by maxretry.

In that regard also see this thread: Re: Bug#481265: fail2ban: Poll interval is not configurable.

But under optional but recommended software one find Gamin.

Gamin is a file alteration monitor. Gamin greatly benefits from a "inotify"-enabled kernel. Thus, active polling is no longer required to get the file modifications.

If Gamin is installed and backend in jail.conf is set to auto (or gamin) - Gamin will be used.

Best Answer

Step 1. Get CIDR of hosts

Step 2. Figure out when to block a CIDR

Step 3. Actually block the CIDR

Related Solutions

Apache – How to use fail2ban to ban all php and cgi-bin requests

How does fail2ban detect the time of an intrusion attempt if the log files don’t have timestamp

Time stamps

Two examples:

1 No time stamp:

2 With time stamp:

Scan times

Related Question