[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fail2Ban Question: Can I do this without restarting the service?

On 08/16/2018 01:00 PM, Dave Sherohman wrote:
On Wed, Aug 15, 2018 at 09:29:58PM -0400, cyaiplexys wrote:
Is there a better way to do this? I have a cron job that gathers IP
addresses that get more than 1,000 hits from the apache log file and that
gets put in the ip.blacklist.perm file.

If (as the filename implies) you want to block these addresses
permanently, then why are you using a tool designed to manage blocks
dynamically (fail2ban)?  Just use your preferred firewall management
tool to add a rule to block them outside of fail2ban.

For example, I manage my firewalls with ufw, so I would use 'ufw deny
from $IP_ADDR'.  It takes effect instantly, with no need to restart
anything, and will be persistent across reboots.

If you don't actually want them to be permanent, then you could instead
create a fail2ban jail which detects IP addresses which have generated
1000 incoming requests to ports 80/443 within the last 60 minutes (or
whatever timeframe your log analysis script looks at) and bans them for
a week (or however long you like), without needing to wait for the log
analysis script to run first.  And you can also whitelist certain IPs in
the jail config, if there are internal service monitoring machines or
whatever which legitimately generate levels of traffic which would
normally trigger a ban.

See, that all is way over my head. I don't understand this stuff as I'm pretty much a total beginner in this. Does Debian and Debian based systems have the firewall installed and running by default? Are there tutorials on how this stuff works?

I hvae no idea how to jail or whatever in fail2ban. Sounds that's what I want to do. Detect IP addresses hitting the server 1000 times in an hour and then ban those for a good long while (week sounds good). I have no clue how to do that. Also don't know how to whitelist.

I've googled. But the articles I've read were so confusing I had no idea where to start or what to do.

I wish there was an easy tutorial for doing these things.

Reply to: