I'm sorry, but I can't for the life of me figure out how to simply ban an IP range using fail2ban. All I get when I google search is halfway-usefull stackexchange threads with no clear answer.
I see commands like this:
sudo fail2ban-client -vvv set JAIL banip 11.22.33.44
sudo fail2ban-client set ssh-iptables banip 11.22.33.44
But these just result in the response: sorry but the jail does not exist.
Is there really no single command to simply ban an ip range from my server, from all ports?
Please help.
IP ranges are written in what's called "CIDR notation". Using this format,
you can use any range of IP addresses in Fail2Ban.
You'll probably need what's called a "CIDR calculator" - google that phrase
and you'll easily find one.
IP ranges are written like this: 1.2.3.0/24 - that is the range
1.2.3.0-1.2.3.255
Similarly 1.2.0.0/16 gives you 1.2.0.0-1.2.255.255 - you can have huge
ranges or small ranges. Even 1.2.3.4-1.2.3.7 can be done: it's 1.2.3.4/30
So, find a CIDR calculator, type in the actual range of numbers and it'll
give you the "notation" for that range.
Then, to ban a range you just type the normal ban command:
fail2ban-client set jailnamehere banip 1.2.3.0/24
That will ban the whole range.
If you're typing in a command and getting "no jail of that name", it means
there's a problem with your configuration, or you're making a spelling
mistake :-) - the program is really solid on handling things like that, so
if the jail name exists it'll ban the IP.
I just want to check
Do you have experience with the program, for example do you use jails and
log files and rules already? Do you know what a jail is? All banning MUST
be done through a "jail" because jails contain details such as: whether to
ban one, some or all ports, whether to email you the result, how long to
ban the IP for, what specific Linux banning system to use, what specific
log file entries the program is looking for and what log files to look at.
If you know all that but still just want to ban a range of IPs, you still
must do it using an existing jail.
You can set up an "I don't care, just ban this IP range" jail.
I have one, called "nuke". I use it to ban most of Amazon's AWS servers cos
they're just used by spammers to relentlessly suck up my pages, try to
break into my websites etc. My websites don't use any services/apps
provided by people using Amazon Web Services, so I'm safe blocking those IP
addresses - and I found I was saving gigabytes a month in traffic, as well
as cutting down hacking attacks by 90%.
But you do have to put a bit of work in to create the jail you want - cos
remember, Fail2Ban isn't just meant as a "ban this IP" program, its entire
design is based on reading log files and finding phrases that you told it
to look for, and then take actions that you specify.
So, because that's how it's built, it was never designed just to block an
IP address. It was designed to block IP addresses that broke rules you
designed.
The sort of method you want to use is great as a secondary method, once
you've got Fail2Ban set up to read all the logs and check all the other
rules you've set - the "just block this range and don't ask me any
questions" setup is a good additional thing to use Fail2Ban for.
What I do is create a fake rule, create a real jail called "nuke", and then
use that real jail to ban ranges of IP addresses that are always up to no
good.
But the jail/rule must be set up for Fail2Ban to work.
If you want more info on how to do what we both want to do, let me know -
cos it is a useful secondary way to use Fail2Ban. I can guide you through
it.
But if you don't really use Fail2Ban at all and simply want to ban IP
addresses, there are easier ways to do it, using software that doesn't
require Fail2Ban's resources.
On Tue, 23 Oct 2018 at 05:00, Tectract notifications@github.com wrote:
I'm sorry, but I can't for the life of me figure out how to simply ban an
IP range using fail2ban. All I get when I google search is halfway-usefull
stackexchange threads with no clear answer.I see commands like this:
sudo fail2ban-client -vvv set JAIL banip 11.22.33.44
sudo fail2ban-client set ssh-iptables banip 11.22.33.44But these just result in the response: sorry but the jail does not exist.
Is there really no single command to simply ban an ip range from my
server, from all ports?Please help.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/fail2ban/fail2ban/issues/2261, or mute the thread
https://github.com/notifications/unsubscribe-auth/AEwhqOMV6_gxTdDSQl-R7-41_oUGW2khks5unpRNgaJpZM4X0qH5
.>
Tony Collins
wow, this is an amazing response, lol. Thank you, I'll have to digest this.
lol, ok I have parsed this response:
fail2ban-client set jailnamehere banip 1.2.3.0/24
This is really not useful. It's not a one-liner you can use from the command line. This will simply result in the error message:
'jailnamehere' does not exist.
When your server is under attack you don't want to be playing around with development testing and config files. This is a glaring, glaring problem for fail2ban imho. There should be a simple way to ban IP addresses. Maybe that would mean having a default jail that could be used for that purpose.
I ended up using iptables commands like this:
sudo iptables -A INPUT -s 1.2.3.4 -j DROP
sudo iptables -I INPUT -m iprange --src-range 1.2.3.0-1.2.3.255 -j DROP
You've definitely misunderstood what Fail2Ban is for.
What I was explaining to you in my email was that the reason you get
"jailnamehere does not exist" is because fail2ban was NEVER intended to be
a simple command line banning tool. That's what my email was saying - if
you want to just ban a range of email addresses without checking log
files, you need a different tool.
So it's not a glaring problem for Fail2Ban to not be able to simply ban IP
addresses in the way you want. Fail2Ban is *designed to monitor log files *and
then ban IP addresses, using what it calls "jails". That's its function.
That's what I explained in my email. Fail2Ban is doing exactly what it was
designed to do, exactly the way it was designed to do it. Its command line
tools are additional things you can use for testing and config checking. It
simply isn't designed to do what you want to do.
So if a piece of software is created with the explicit goal of monitoring
log files, then it's not a problem for it to require a log file-related
config to be used when you want to ban a file.
I'm glad you're using iptables - cos again, as I said in my email, that's
the sort of tool you want if you don't want to use Fail2Ban for what it was
designed for. Fail2Ban itself uses iptables. All it does is automate the
things you're doing manually.
However, Fail2Ban is about 5,000 times better than realising you're under
attack and sitting at a terminal typing in IP ranges. You can automate the
entire process - using an automated monitoring tool such as Fail2Ban. Why
was Fail2Ban developed in the first place? Because you'll quickly find that
you can't keep track of which IP addresses were banned for what reason, and
you won't remember what's what.
Put it this way: when my server is under attack, I have never, ever had to
type in a command to ban an IP. Why? Cos I've got rules set up in Fail2Ban
that automate the process for me. I'm sitting at home with a cup of tea
reading the emails Fail2Ban sends, telling me "I just caught an attacker -
I banned their IP address!"
Much easier :-)
Tony Collins
On Tue, 23 Oct 2018 at 18:38, Tectract notifications@github.com wrote:
lol, ok I have parsed this response:
fail2ban-client set jailnamehere banip 1.2.3.0/24
This is really not useful. It's not a one-liner you can use from the
command line. This will simply result in the error message:'jailnamehere' does not exist.
When your server is under attack you don't want to be playing around with
development testing and config files. This is a glaring, glaring problem
for fail2ban imho. There should be a simple way to ban IP addresses. Maybe
that would mean having a default jail that could be used for that purpose.I ended up using iptables commands like this:
to ban a single IP
sudo iptables -A INPUT -s 1.2.3.4 -j DROP
to ban a range of IP addresses
sudo iptables -I INPUT -m iprange --src-range 1.2.3.0-1.2.3.255 -j DROP
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/fail2ban/fail2ban/issues/2261#issuecomment-432345054,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AEwhqPPJy6cyLaxxDLu1szlkS-cUHuqRks5un1P9gaJpZM4X0qH5
.
There should be a way to ban IPs from the command line with fail2ban. This is a glaring ommision imho. Developers who don't give the users what they want eventually find their software projects to have no users.
And users who ignore the detailed explanation about what a piece of
software is actually designed to do and instead say "you should make this
software do something it was never designed to do just because I refuse to
understand the difference between a specific log file monitoring app and a
straight IP banning app" will eventually find that people decide to stop
engaging with them anymore because it's pointless talking to someone who
refuses to understand.
I'm out of this discussion. Please enjoy using iptables, which is the app
specifically designed for you to use for command-line IP banning.
Tony Collins
On Tue, 23 Oct 2018 at 21:01, Tectract notifications@github.com wrote:
There should be a way to ban IPs from the command line with fail2ban. This
is a glaring ommision imho. Developers who don't give the users what they
want eventually find their software projects to have no users.—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/fail2ban/fail2ban/issues/2261#issuecomment-432397242,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AEwhqE7yWYDrJiSTY4vmJx27KWH4c8gEks5un3WQgaJpZM4X0qH5
.
I hate developers who built complex systems and then ignore user requests for features because they think they know how the software "should" be used.
I hate developers who built complex systems and then ignore user requests for features because they think they know how the software "should" be used.
fail2ban is a very effective system for banning access based on a sets of rules defined per application. It is like a scalpel and the developers are doing a great job improving this tool
If you want to block a specific ip address, then I suggest you look at ipset which makes it easy to block ip addresses (and ranges) from the command line.
I use both tools: I use ipset (using https://github.com/trick77/ipset-blacklist ) to ban well-known hackers ip addresses (and their compromised systems that they manage) and then fail2ban to monitor the rest based on what they actually try to do and feed those who on certain apps back into ipset.
I have added some home written scripts that log this in infuxdb and then graph the results using grafana so that I have a visual high-level view of what's happening. Works a treat.
How do I ban an IP range?
At the moment no range (no subnet banning) is supported per default. You can write your own jail with your own action to ban an IP range.
Here is the FR for this - #927.
So without some custimizations only single IP banning is supported (iterative).
sudo fail2ban-client set ssh-iptables banip 11.22.33.44
But these just result in the response: sorry but the jail does not exist.
Fail2ban is designed for jail-based work: the jail is a set of parameters, like parsing & banning rules, log-file (or systemd journal) to find a failures, as well as other control parameters like port, bantime, etc.
Fail2ban have already many default jails for many services (that are all disabled per default, and you should enable jails you want).
So if you want manually ban an IP via fail2ban-client set ssh-iptables banip 11.22.33.44, it expects that the jail ssh-iptables is exists (and we don't have such jail per default) and active.
If you uses fail2ban normally, find the best fit jail you have already enabled (e. g. with the same port(s) you want to ban) or existing jail that you have still to enable...
For example if you will choose the jail sshd, you should write in jail.local:
[sshd]
enabled = true
Then after restart/reload fail2ban, you can do your manual banning using:
?sudo? fail2ban-client set sshd banip 192.0.2.1
This will automatically unbanned after bantime (default 10 minutes).
If you have no jails (and you want your own jail) how you can configure a simplest jail:
$ # create empty log file:
$ touch /var/log/my-log.log
Create or edit /etc/fail2ban/jail.local:
[ssh-iptables]
filter =
backend = auto
logpath = /var/log/my-log.log
failregex = ^\s*failure <HOST>$
bantime = 600
maxretry = 1
banaction = iptables-multiport
port = 22
enabled = true
And restart/reload fail2ban.
Then you can do manual banning using:
?sudo? fail2ban-client set ssh-iptables banip 192.0.2.1
as well as by write to the file /var/log/my-log.log like below:
echo "$(date +%s) failure 192.0.2.1" >> /var/log/my-log.log
See our wiki here for the example how you can proper configure the fail2ban.
I hate developers who built complex systems and then ignore user requests for features because they think they know how the software "should" be used.
This is your choice to use a "complex" system or not. So my question is, why you want to use this "complex" fail2ban for manual banning of the IP, if you can use "simple" system like firewall/iptables/ipset instead of?
If i have a daemon that writes logs that has subnets, and i pass (by regex) a subnet as a HOST in a filter, can the jail->action pick it up?
can the jail->action pick it up?
It depends on action... Some of that could work, another expecting some modifications, and some would not work at all (see for example #2552).
What I do is create a fake rule, create a real jail called "nuke", and then use that real jail to ban ranges of IP addresses that are always up to no good. But the jail/rule must be set up for Fail2Ban to work. If you want more info on how to do what we both want to do, let me know - cos it is a useful secondary way to use Fail2Ban. I can guide you through it.
It would be useful to see the config for a fake/manual ban jail. In the last 2 days china has launched an all out attack so would like to ban all their networks!
https://sven.rojek.de/posts/fail2ban-iprange-mit-blackliste-blocken looks like a good solution with plain fail2ban (article in german but english config snippets should make the approach clear).
This script in Python is running fine, in a crontab */5 minute, to group similar IPs into network range, from CIDR /23 up to /32; it calls fail2ban, but can call IPTABLEs directly too.
https://github.com/WKnak/fail2ban-block-ip-range
After run script, it calls commands like these for network ranges with more than 10 events:
fail2ban-client set postfix-sasl banip 78.128.113.66/32
fail2ban-client set postfix-sasl banip 45.142.120.0/24
fail2ban-client set postfix-sasl banip 193.56.28.160/32
fail2ban-client set postfix-sasl banip 45.150.206.112/29
Most helpful comment
IP ranges are written in what's called "CIDR notation". Using this format,
you can use any range of IP addresses in Fail2Ban.
You'll probably need what's called a "CIDR calculator" - google that phrase
and you'll easily find one.
IP ranges are written like this: 1.2.3.0/24 - that is the range
1.2.3.0-1.2.3.255
Similarly 1.2.0.0/16 gives you 1.2.0.0-1.2.255.255 - you can have huge
ranges or small ranges. Even 1.2.3.4-1.2.3.7 can be done: it's 1.2.3.4/30
So, find a CIDR calculator, type in the actual range of numbers and it'll
give you the "notation" for that range.
Then, to ban a range you just type the normal ban command:
fail2ban-client set jailnamehere banip 1.2.3.0/24
That will ban the whole range.
If you're typing in a command and getting "no jail of that name", it means
there's a problem with your configuration, or you're making a spelling
mistake :-) - the program is really solid on handling things like that, so
if the jail name exists it'll ban the IP.
I just want to check
Do you have experience with the program, for example do you use jails and
log files and rules already? Do you know what a jail is? All banning MUST
be done through a "jail" because jails contain details such as: whether to
ban one, some or all ports, whether to email you the result, how long to
ban the IP for, what specific Linux banning system to use, what specific
log file entries the program is looking for and what log files to look at.
If you know all that but still just want to ban a range of IPs, you still
must do it using an existing jail.
You can set up an "I don't care, just ban this IP range" jail.
I have one, called "nuke". I use it to ban most of Amazon's AWS servers cos
they're just used by spammers to relentlessly suck up my pages, try to
break into my websites etc. My websites don't use any services/apps
provided by people using Amazon Web Services, so I'm safe blocking those IP
addresses - and I found I was saving gigabytes a month in traffic, as well
as cutting down hacking attacks by 90%.
But you do have to put a bit of work in to create the jail you want - cos
remember, Fail2Ban isn't just meant as a "ban this IP" program, its entire
design is based on reading log files and finding phrases that you told it
to look for, and then take actions that you specify.
So, because that's how it's built, it was never designed just to block an
IP address. It was designed to block IP addresses that broke rules you
designed.
The sort of method you want to use is great as a secondary method, once
you've got Fail2Ban set up to read all the logs and check all the other
rules you've set - the "just block this range and don't ask me any
questions" setup is a good additional thing to use Fail2Ban for.
What I do is create a fake rule, create a real jail called "nuke", and then
use that real jail to ban ranges of IP addresses that are always up to no
good.
But the jail/rule must be set up for Fail2Ban to work.
If you want more info on how to do what we both want to do, let me know -
cos it is a useful secondary way to use Fail2Ban. I can guide you through
it.
But if you don't really use Fail2Ban at all and simply want to ban IP
addresses, there are easier ways to do it, using software that doesn't
require Fail2Ban's resources.
On Tue, 23 Oct 2018 at 05:00, Tectract notifications@github.com wrote:
Tony Collins