Re: Fail2Ban Question: Can I do this without restarting the service?
On Thu 16 Aug 2018 at 14:07:02 -0400, cyaiplexys wrote:
> On 08/16/2018 01:00 PM, Dave Sherohman wrote:
> > On Wed, Aug 15, 2018 at 09:29:58PM -0400, cyaiplexys wrote:
> > > Is there a better way to do this? I have a cron job that gathers IP
> > > addresses that get more than 1,000 hits from the apache log file and that
> > > gets put in the ip.blacklist.perm file.
> >
> > If (as the filename implies) you want to block these addresses
> > permanently, then why are you using a tool designed to manage blocks
> > dynamically (fail2ban)? Just use your preferred firewall management
> > tool to add a rule to block them outside of fail2ban.
> >
> > For example, I manage my firewalls with ufw, so I would use 'ufw deny
> > from $IP_ADDR'. It takes effect instantly, with no need to restart
> > anything, and will be persistent across reboots.
> >
> > If you don't actually want them to be permanent, then you could instead
> > create a fail2ban jail which detects IP addresses which have generated
> > 1000 incoming requests to ports 80/443 within the last 60 minutes (or
> > whatever timeframe your log analysis script looks at) and bans them for
> > a week (or however long you like), without needing to wait for the log
> > analysis script to run first. And you can also whitelist certain IPs in
> > the jail config, if there are internal service monitoring machines or
> > whatever which legitimately generate levels of traffic which would
> > normally trigger a ban.
> >
>
> See, that all is way over my head. I don't understand this stuff as I'm
> pretty much a total beginner in this. Does Debian and Debian based systems
> have the firewall installed and running by default? Are there tutorials on
Debian? No.
--
Brian.
Reply to: