-
-
Save sergejmueller/8171854 to your computer and use it in GitHub Desktop.
| # Fail2Ban configuration file | |
| # | |
| # List of blocked ip addresses | |
| # | |
| # Server: Nginx | |
| # Author: Sergej Müller | |
| # | |
| # File path: /etc/fail2ban/filter.d/ip-blacklist.conf | |
| [Definition] | |
| # Option: failregex | |
| # Notes : Detection of blocked ip addresses. | |
| # Values: TEXT | |
| # | |
| failregex = ^<HOST> \[.*\]$ | |
| # Option: ignoreregex | |
| # Notes : Regex to ignore. If this regex matches, the line is ignored. | |
| # Values: TEXT | |
| # | |
| ignoreregex = |
| 5.9.111.18 [29/12/2013 12:00:00] |
| # File path: /etc/fail2ban/jail.local | |
| [ip-blacklist] | |
| enabled = true | |
| banaction = iptables-allports | |
| port = anyport | |
| filter = ip-blacklist | |
| logpath = /etc/fail2ban/ip.blacklist | |
| maxretry = 0 | |
| findtime = 15552000 | |
| bantime = -1 |
It works fine.. Ubuntu 14.04 - Thanks for it
Hallo, danke für die Beispiele,
im Blog-Post fehlt noch <HOST> in der failregex, wurde vmtl als HTML-Tag gestripped.
Trotz Einträgen in der ip-blacklist werden keine erkannt/geblockt:
# fail2ban-client status ip-blacklist
Status for the jail: ip-blacklist
|- filter
| |- File list: /etc/fail2ban/ip.blacklist
| |- Currently failed: 0
| `- Total failed: 0
`- action
|- Currently banned: 0
| `- IP list:
`- Total banned: 0
Woran kann das liegen?
Hi,
habe das gleiche Problem wie j-schumann, alles soweit OK, fail2ban-regex findet auch die Einträge in der Datei, aber nach restart wird nichts geblockt.
Oder passiert das erst beim nächsten "Besuch" einer der IP Adressen?
Danke,
Sven
Server: CentOS 6.6
fail2ban: fail2ban-0.8.14-1.el6.noarch
Nach der Einrichtung und Start des Filters wird in iptables nichts geblockt
ip.blacklist
5.9.152.105 [03/03/2015 11:25:00]
For newer fail2ban versions (0.9) the jail should read as:
[ip-blacklist]
enabled = true
action = iptables-allports[name=ip-blacklist]
filter = ip-blacklist
logpath = /etc/fail2ban/ip.blacklist
maxretry = 0
findtime = 15552000
bantime = -1
As the people above reported, no addressess are blocked, except the file is written once; then all lines are parsed and blocked.
Aww not working for me. Tried your fix 'weberhofer' but not fixed at all.
This does not work for me with Fail2Ban v0.9.4:
My jail.local is exactly as proposed by weberhofer above, my ip-blacklist.conf is exactly as the one on top. This is a line of my /etc/fail2ban/ip.blacklist:
185.110.132.202 [2016-12-01 12:00:00]
And these are some lines of my /var/log/fail2ban.log:
2016-12-22 04:41:31,431 fail2ban.actions [2800]: NOTICE [sshd] Ban 185.110.132.202
2016-12-22 04:41:31,992 fail2ban.actions [29765]: NOTICE [sshd] Ban 185.110.132.202
2016-12-22 05:11:32,125 fail2ban.actions [2800]: NOTICE [sshd] Unban 185.110.132.202
2016-12-22 05:11:32,754 fail2ban.actions [29765]: NOTICE [sshd] Unban 185.110.132.202
Apparently 185.110.132.202 is only blocked for 30 minutes according to the standard sshd jail, the content in ip.blcklist ist ignored.
Further question: Why is there a double entry for that ip?
same problem here, but I found another solution. In my opinion easier and cleaner:
https://zach.seifts.us/posts/2013/07/14/how-make-fail2ban-bans-persistent
It works editing (make a backup!) of '/etc/fail2ban/action.d/iptables-multiport.conf'. I don't use 'actionban', so I add the IP addresses by myself and then restarting the service.
tested with: Fail2Ban v0.9.1
I had the problem with nothing from the ip.blacklist file being blocked, too. Doing some debugging with the fail2ban-regex tool helped me. Putting correctly formatted dates behind the blacklisted IPs did the trick. While entries like 111.222.333.444 [24.05.2017 11:22:33] do not work entries like 111.222.333.444 [May 24 11:22:33] do.
BTW after starting the jail you need to modify the ip.blacklist file and add another valid entry in order to get this new entry blocked!
like:
backend = auto
logpath = /var/log/httpd/access_log
for syslog:
backend = systemd
I also had the problem with the contents of the blacklist being mostly ignored. Instead a random other list was shown. The problem seems to have been that I not only appended to the file but also deleted some older entries and fail2ban will cache all matches and not look at lines before the last saved position. No restarting, reloading, deleting and readding the logpath or the file itself helped it. I had to force a reparse by deleting the internal database with:
sudo rm $( sudo fail2ban-client get dbfile | sed -nr 's|`- ||p' )You an see from where it parses the log file in /var/log/fail2ban.log which contains lines like:
Added logfile: '/etc/fail2ban/ip.blacklist' (pos = 1, hash = adc83b123493491b1c6e12345676cd9f32e592fc)
pos seems to be the last read line number.
I would like to test this solution but i get the followng error
/etc/init.d/fail2ban start
Starting fail2ban: WARNING 'action' not defined in 'ip-blacklist'. Using default one: ''
WARNING 'ignoreregex' not defined in 'Definition'. Using default one: ''
WARNING No actions were defined for ip-blacklist
[ OK ]
What´s wrong?