Linux – creating an alternate jail in fail2ban for manual banning

fail2banfirewalliptableslinux

I have a fail2ban instance that works well.

But I also like to occasionally examine the logs manually and try to ID system probes that are working around my standard f2b definitions.

What I'm looking for is how I can define a jail that will last an extended period of time that I can manually use in a command like this:

fail2ban-client set $JAIL banip $IP

Can someone give me the syntax to specify a custom jail in the config file that isn't really triggered from log files (or it could be a standard jail that has some condition that might not make it actually trigger), that I can use in a manual statement? What I want to do is have a much longer ban time for manual bannings that I identify personally while looking through logs.

Best Answer

Here's how I did this..

I added this to jail.local:

[manban]
enabled  = true
filter   = manban
action   = iptables[name=HTTP, port="80,443,110,995,25,465,143,585,993,587,21,22", protocol=tcp]
logpath  = /var/log/manban.log
maxretry = 1
# 1 month
bantime  = 2592000
findtime = 3600

Then I added the file /etc/fail2ban/filter.d/manban.conf:

[Definition]
failregex = ^\[\w{1,3}.\w{1,3}.\d{1,2}.\d{1,2}:\d{1,2}:\d{1,2} \d{1,4}. \[error] \[client.<HOST>].File does not exist:.{1,40}roundcube.{1,200}
ignoreregex =

I copied the filter protocol of another filter but point it to a file that doesn't exist, then I created a dummy file:

touch /var/log/manban.log

then run the command:

fail2ban-client reload

Now to manually ban an IP address for one month, type:

fail2ban-client set manban banip <IP>

This did the trick.

There are clients now that "learn" your fail2ban bantime, and will automatically adjust their system probes to not get banned. But when you look at the logs, it's obvious these are system probes. You can mess up their systems by creating extraordinary long ban times. You could also write a script that could dump IPs matching a certain criteria to your special ban log and have fail2ban ban them for an extended period of time.

DIMMs

[dimm]
#
# execute these triggers when the rate of corrected or uncorrected
# errors per DIMM exceeds the threshold
# Note when the hardware does not report DIMMs this might also
# be per channel
# The default of 10/24h is reasonable for server quality·
# DDR3 DIMMs as of 2009/10
#uc-error-trigger = dimm-error-trigger
uc-error-threshold = 1 / 24h
#ce-error-trigger = dimm-error-trigger
ce-error-threshold = 10 / 24h

Sockets

[socket]
# Threshold and trigger for uncorrected memory errors on a socket
# mem-uc-error-trigger = socket-memory-error-trigger
mem-uc-error-threshold = 100 / 24h
# Threshold and trigger for corrected memory errors on a socket
mem-ce-error-trigger = socket-memory-error-trigger
mem-ce-error-threshold = 100 / 24h

Cache

[cache]
# Processing of cache error thresholds reported by Intel CPUs
cache-threshold-trigger = cache-error-trigger

Page

[page]
# Memory error accouting per 4K memory page
# Threshold for the correct memory errors trigger script
memory-ce-threshold = 10 / 24h
# Trigger script for corrected errors
# memory-ce-trigger = page-error-trigger

Triggers

Triggers can be controlled in this section.

[trigger]
# Maximum number of running triggers
children-max = 2
# execute triggers in this directory
directory = /etc/mcelog

Sample triggers

There are some sample triggers here on the mcelog github page.

Sample trigger script, `dimm-error-triggers`:

#!/bin/sh
#  This shell script can be executed by mcelog in daemon mode when a DIMM
#  exceeds a pre-configured error threshold
# 
# environment:
# THRESHOLD     human readable threshold status
# MESSAGE   Human readable consolidated error message
# TOTALCOUNT    total count of errors for current DIMM of CE/UC depending on
#       what triggered the event
# LOCATION  Consolidated location as a single string
# DMI_LOCATION  DIMM location from DMI/SMBIOS if available
# DMI_NAME  DIMM identifier from DMI/SMBIOS if available
# DIMM      DIMM number reported by hardware
# CHANNEL   Channel number reported by hardware
# SOCKETID  Socket ID of CPU that includes the memory controller with the DIMM
# CECOUNT   Total corrected error count for DIMM
# UCCOUNT   Total uncorrected error count for DIMM
# LASTEVENT Time stamp of event that triggered threshold (in time_t format, seconds)
# THRESHOLD_COUNT Total umber of events in current threshold time period of specific type
#
# note: will run as mcelog configured user
# this can be changed in mcelog.conf

logger -s -p daemon.err -t mcelog "$MESSAGE"
logger -s -p daemon.err -t mcelog "Location: $LOCATION"

[ -x ./dimm-error-trigger.local ] && . ./dimm-error-trigger.local

exit 0

Best Answer

Related Solutions

Ignore a specific ip for fail2ban

Linux – Writing triggers for mcelog