Bdtjtk

Currently I have been using iptables on a new Debian server running Asterisk.

Every day I have been checking auth.log for IP addresses and manually doing iptables -A INPUT -s IPA.DRE.SS.0/24 -j DROP

I was initially doing just IP addresses but many hits were coming from similar IP addresses so /24 has been working better, I have used /16 a couple of times.

Already I have hundreds of iptables entries and this is getting out of control! I know there must be an easier way to do this.

fail2ban has been recommended to me but it seems it blocks IPs only temporarily after a certain # of attempts.

The two main intrusion attempts I see are using false usernames and random ports.

Is it possible to, if an attempt is made to login with any username I am not currently using, to automatically permanently block the IP address? Same with ports that are not in use?

I also see a lot like this:

Did not receive identification string from (malicious IP) port 48334

I'd like to ban those IPs too.

I won't automatically block incorrect login attempts as if I fat-finger the password that could lock me out. But perhaps a permanent ban on an IP after 3 attempts will suffice.

Can I do this with iptables? I haven't found anything regarding "permanent bans" that work like this, it seems it just works more in the moment.

I'd more or less like to accomplish what I've been doing manually; permanently blocking IP ranges after a single wrong username login, a single wrong port connection, or 3 incorrect login attempts (with correct username). I'm hoping this will prevent auth.log from getting spammed.

fail2ban can be configured for permanent bans by setting bantine to -1

In jail.conf

bantime = -1 

These will be lost on a reboot, but that's not necessarily a bad thing because so many attempts will be transient from pwned home machines in a botnet...

If you want persistence, then https://arno0x0x.wordpress.com/2015/12/30/fail2ban-permanent-persistent-bans/ may give some guidance.

Essentially modifying the fail2ban config to create a persistent configuration file of all the banned IPs, and have iptables load this list on reboot...

So if you check your default jail.conf you may find the default action is iptables-multiport. This corresponds to the configuration file /etc/fail2ban/ction.d/iptables-multiport.conf

We can add the following entries:

[Definition]

# Option:  actionstart

# Notes.:  command executed once at the start of Fail2Ban.

# Values:  CMD

#

actionstart = iptables -N fail2ban-<name>

              iptables -A fail2ban-<name> -j RETURN

              iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>

          cat /etc/fail2ban/persistent.bans | awk '/^fail2ban-<name>/ {print $2}' 

          | while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j <blocktype>; done



# Option:  actionstop

# Notes.:  command executed once at the end of Fail2Ban

# Values:  CMD

#

actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>

             iptables -F fail2ban-<name>

             iptables -X fail2ban-<name>



# Option:  actioncheck

# Notes.:  command executed once before each actionban command

# Values:  CMD

#

actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ t]'



# Option:  actionban

# Notes.:  command executed when banning an IP. Take care that the

#          command is executed with Fail2Ban user rights.

# Tags:    See jail.conf(5) man page

# Values:  CMD

#

actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>

        echo "fail2ban-<name> <ip>" >> /etc/fail2ban/persistent.bans

Now, when fail2ban flags an entry it will add a line to /etc/fail2ban/persistent.bans (via the actionban configuration). When fail2ban starts up it calls actionstart which reads this file and builds the iptables rules necessary.

Of course, fail2ban needs restarting after any of the configuration files are changed.

All credit to "arno0x0x" and his wordpress site for this recipe.