Skip to content

Instantly share code, notes, and snippets.

@lanefu
Last active July 18, 2020 02:49
Show Gist options
  • Save lanefu/be7b6596e5fc71532e6bd1ab107a3334 to your computer and use it in GitHub Desktop.
Save lanefu/be7b6596e5fc71532e6bd1ab107a3334 to your computer and use it in GitHub Desktop.
fail2ban apt repo abuse

fail2ban config for excessive apt update

apt install fail2ban

  • known issue: IPV6s fail to block with ufw banaction
  • currently only blocks stretch repo abuse.

see banned IPs

iptables -L ufw-user-input -n|fgrep REJECT

unban

fail2ban-client unban %IP%

configuration

modify config, then fail2ban-client reload

in /etc/fail2ban/

./jail.local

[DEFAULT]

banaction = ufw
banaction_allports = ufw

./jail.d/apt-repo-abuse.local


[apt-repo-abuse]
enabled = true
port    = http,https
logpath = /var/log/nginx/access-apt.log
bantime = 7d
maxretry = 24
findtime = 4h
#banaction = dummy
filter = apt-repo-abuse

./fail2ban.d/logging-level.local

[Definition]

loglevel = NOTICE

./filter.d/apt-repo-abuse.local

Definition]

#98.246.95.223 - - [15/Jul/2020:06:25:37 +0000] "GET /dists/stretch/main/Contents-armhf.gz HTTP/1.1" 200 6404140 "-" "Debian APT-HTTP/1.3 (1.8.2)"
#98.246.95.223 - - [15/Jul/2020:06:25:38 +0000] "GET /dists/stretch/main/Contents-arm64.gz HTTP/1.1" 200 5957287 "-" "Debian APT-HTTP/1.3 (1.8.2)"

failregex = ^<HOST> -.*"(GET|POST|HEAD) /dists/stretch/main/Contents-(armhf|arm64)\.gz.*$
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment