-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature Request : autobans/manual bans #30
Comments
I agree, this would be an nice feature. What's an easy way to implement this on our own? |
A such feature will be awesome ! |
👍 |
This feature will be implemented at some point, BUT...
|
You can use iptables to drop packets on the server ! I don't think auto-ban is a really good idea ... because you have to deal with differents thresholds depending on type of alerts ! If you don't want to choose one firewall (such as iptables or nftables) you could implement a custom user command passing the ip to block as a parameter. That function would be perfect for my gateway ! |
as for me my preferences would go both ways :
this would be pretty much similar to what fail2ban does but going beyond it (much more attack types recognized in maltrail, and not having to define all those jails) and with the UI that's already here that would be a perfect tool :) |
👍 Suggestion: A mailtrail.conf command entry would suffice to add iptables rules via any of the major iptables helper programs such as csf, apf, shorewall or just plain iptables. Something like: USE_CSF true my two centavos 👍 keep up the great work! |
Great idea 👍 ! |
@ALL auto generating feed of today's "known attackers"/"bad reputation" IPs that appeared more than N times in a short time-period (e.g. more than once in a 1 second period). This should be pretty "safe" to implement (and block)
Then, you can do the automatic banning from any point outside by just doing the
does this sound good? |
Hi all. This looks great. We can then have csf or any other iptables script daemon monitor said file for changes to include in the ruleset Sent from Samsung Mobile -------- Original message -------- @ALL auto generating feed of today's "known attackers"/"bad reputation" IPs that appeared more than N times in a short time-period (e.g. more than once in a 1 second period). This should be pretty "safe" to implement (and block) <maltrail_server_ip>:8338/bad.txt would enlist all those "bad" IPs line-break separated, like in case of https://www.badips.com/get/list/any/2?age=7d Then, you can do the automatic banning from any point outside by just doing the curl in some time periods, e.g.: for i in $(curl https://www.badips.com/get/list/any/2?age=7d); do echo $i; done 2>/dev/null does this sound good? — |
https://github.com/trick77/ipset-blacklist how about including this one? |
@Babzsak you mean lists from there? Majority of those are already being used in maltrail |
I do it like this: |
I did it with fail2ban by creating filter.d/maltrail.conf with this failregex:
|
@pierrehegr what u wrote here - it's not enough. I wrote definition and configuration for fail2ban, also it's working with VestaCP, take look at my gist: If u like my gist then give me star ! |
Look for |
Does maltrail support csf autobans? |
@podivilov you have the means to apply recognized malicious IPs to whatever mechanism you require (even csf). please, take a look into #9313 (comment). by similar principle you can propagate the "blacklist" to whatever "autoban" system you use |
Sounds good. Thank you! Mikhail Podivilov
|
I love the software well done, easy to use, but so far it's a passive tool.
Adding a button that would launch :
iptables -I INPUT -s xxx.xxx.xxx.xxx -j DROP (xxx beeing the offender IP) on each offender line.
Could even add it as an autobanning feature, with maybe a treshold like fail2ban,
That would certainly make my day :)
(could even make it an option to autoban the known mass scanners at first start)
(I'm not forgiving, my jail2ban jails ban the 1st time a week, in case of recidive a year, but fail2ban is not that easy to configure, especially for new jails, this, with banning features, could really be a better solution)
The text was updated successfully, but these errors were encountered: