You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
*** First to say: I admire fail2ban idea and humbly expose following code ***
I was watching tail -f /var/log/fail2ban.log and noticed there are some families of IP trying to hack fail2ban timing rules. The idea is to use a certain IP from a family at intervals that avoids banning.
Then i've extract incidence group by IP and get something like
163 => 68.183.231.87
96 => 157.245.76.188
57 => 206.189.188.71
The antidot for that IPs is to periodically detect and deliberately ban :
#!/bin/bash
declare -A IPS
declare -A HITS
NR=0
chain=recidive
ban=
severity=50
list_offset=30
detect=
while getopts "bc:s:d:ho:" arg; do
case $arg in
b) ban=true ;;
c) chain=$OPTARG ;;
s) severity=$OPTARG ;;
d) detect=$OPTARG ;;
o) list_offset=$OPTARG ;;
h)
bat /home/adi/scripts/f2bc_seek_and_ban
exit 0
;;
esac
done
shopt -s lastpipe # while is a pipe (subshell) -- va folosi variabilele din script
grep -Eo "Found [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" /var/log/fail2ban.log |
while read text ip; do
TOTAL=$((TOTAL + 1))
K=${IPS[${ip}]} # get value stored for ip
let K++
IPS+=(["$ip"]=$K) # insert into array
done
for key in "${!IPS[@]}"; do
hit=${IPS[$key]}
if [ $detect ] && [[ "$detect" == "$key" ]]; then
echo -e "DITECTED_IP: $key => $hit entries\n"
nft list ruleset | grep -e "addr-set-[^\{]*{" -e $key
if [ $ban ]; then
fail2ban-client set $chain banip $key
fi
exit 0
fi
HITS+=([${hit}]="${HITS[${hit}]} $key")
if [ $ban ] && [ $hit -gt $severity ]; then
fail2ban-client set $chain banip $key >/dev/null
fi
done
if [ $detect ]; then
echo "NOT DETECTED : $detect"
exit 0
fi
#display statistics
for k in "${!HITS[@]}"; do
if [ $k -ge $list_offset ]; then
echo "$k => ${HITS[$k]}"
fi
done | sort -nr
echo -e "\nFOUND $TOTAL : UNIQUE ${#IPS[@]}"
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
*** First to say: I admire fail2ban idea and humbly expose following code ***
I was watching
tail -f /var/log/fail2ban.log
and noticed there are some families of IP trying to hack fail2ban timing rules. The idea is to use a certain IP from a family at intervals that avoids banning.Then i've extract incidence group by IP and get something like
163 => 68.183.231.87
96 => 157.245.76.188
57 => 206.189.188.71
The antidot for that IPs is to periodically detect and deliberately ban :
crontab -e
nano /path_here/f2bc_seek_and_ban
`
`
Beta Was this translation helpful? Give feedback.
All reactions