Fail2Ban watch own log

T

his tutorial works for CentOS only. For your specific OS tutorial use the tags or serach function in the sidebar area.

 

In this tutorial we will create a custom jail and filter to gain the possibility to ban returning bad guys.

First, create the filter:

$ nano /etc/fail2ban/filter.d/prison.conf

and paste this:

# Fail2Ban configuration file
#
# Author: be.admin
# $Revision$
#

[Definition]

# Count all bans in the logfile
failregex = fail2ban.actions: WARNING \[(.*)\] Ban

# Ignore our own bans, to keep our counts exact.
# In your config, name your jail 'prison', or change this line!
ignoreregex = fail2ban.actions: WARNING \[prison\] Ban
 

Next add below jail to /etc/fail2ban/jail.conf

$ nano /etc/fail2ban/jail.conf

and paste this:

############### PRISON
[prison]
enabled = true
filter = prison
action = iptables-allports[name=Go-to-Prison]
#action = route
sendmail-whois[name=Go-to-Prison, dest=your@domain.com]
logpath = /var/log/fail2ban.log
maxretry = 4
# 48h
findtime = 172800
# 1 week
bantime = 1209600
#######################
You can put your own maxretry,findtime,bantime values

Save and exit.

You can use default iptables action or if you wish you can use custom action=route, which via Kernel IP routing table completly block and hide whole your server from bad host (and works there, where iptables don't)

You can download from here: http://sh.beadmin.2tl.eu/fail2ban.tar.gz

or create manually 

$ nano /etc/fail2ban/action.d/route.conf

and paste:

# Fail2Ban configuration file
[Definition]
actionban = ip route add unreachable
actionunban = ip route del unreachable
actionstart =
actionstop =
actioncheck =
 

When done editing files. Restart our firewall service and fail2ban.

Restarting iptables with fail2ban

Every time when iptables/firewall is restarted/reloaded Fail2Ban must be restarted also - otherwise it won't find own iptables chains. Keep this in mind.

$ service firewall restart && service fail2ban restart

[root@server][/etc/fail2ban/action.d]
$ service firewall restart