Setup Fail2ban to block Rogue Ip Address

General
1

I will start this and hope it will become a community thread full of updates to secure our gateways.

Make sure you add the following to your diode gateway command -logfilepath=/var/log/gateway.log and create a gateway.log in the folder /var/log/gateway.log by running the following

touch /var/log/gateway.log

Setting Up Fail2Ban

1. Update Your System

First, ensure your system is up to date:

sudo apt update && sudo apt upgrade -y

2. Install Fail2Ban

Install Fail2Ban using the following command:

sudo apt install fail2ban -y

3. Start the Service

Start the Fail2Ban service:

sudo systemctl enable --now fail2ban

Configuring Fail2Ban (jail.local)

Fail2Ban reads configuration files in a specific order: .conf files first, followed by .local files that override any settings. Let’s create a custom .local configuration for Fail2Ban.

  1. Create a Custom Jail Configuration File:
  • Copy the default jail.conf to jail.local:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
  1. Edit the jail.local File:
  • Open jail.local in your preferred text editor (e.g., nano, vim, or gedit):
sudo nano /etc/fail2ban/jail.local
  1. Customize Jails:
  • Inside the jail.local file, you’ll find various jail configurations.
  • Uncomment the relevant jails (e.g., [sshd], [nginx-http-auth], etc.) by removing the # at the beginning of the line.
  • Set enabled = true for the jails you want to activate.
  1. Adjust Ban Parameters:
  • Customize ban parameters such as maxretry, bantime, and findtime according to your needs.
  • For example, to ban an IP after 3 failed attempts for 1 hour:
[sshd]
enabled = true
maxretry = 3
bantime = 3600
  1. Save and Close the File.
  2. Restart Fail2Ban:
sudo systemctl restart fail2ban

Now, we will Create your own jail for the diode gateway

sudo nano /etc/fail2ban/jail.local

Paste content (and edit to your needs) it should look similar to below.

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
findtime = 300
bantime = 28800
ignoreip = 127.0.0.1

[gateway]
enabled = true
port = 1080,443
filter = gateway
logpath = /var/log/gateway.log
maxretry = 3
bantime = 28800
ignoreip = 127.0.0.1
  1. Create your filter

sudo vim /etc/fail2ban/filter.d/gateway.local

Paste the content in your gateway.local:

[Definition]
failregex = Failed to connect host: <HOST>
            ERROR Target not a valid fallback ip .*:443 (lookup .* on 127\.0\.0\.53:53: no such host|proxy to loopback is not allowed)|ERROR Handshake failed socks(5 IPv4 not supported \(only domain names\)| version not supported)
  1. Restart the service
sudo systemctl restart fail2ban.service

Now this will monitor the var/logs/gateway.log and lock an IP out after more than 5 incorrect attempts once the log is set up.

Additional Notes

  • Fail2Ban is meant to complement secure firewall rules, not replace them.
  • Monitor Fail2Ban logs (/var/log/fail2ban.log) for any ban activity.

Remember to replace placeholders (such as service names) with actual values specific to your setup. If you encounter any issues or need further assistance, feel free to ask! :shield::lock:

3 Likes