Fail2ban whitelist

From LUG
Jump to navigation Jump to search

Introduction

We use fail2ban to block IP addresses that try to log in to SSH servers.

This works by blocking IP addresses from which too many failed attempts originate.

This works nicely, but the side effect is that if true users use the wrong credentials a couple of times (FileZilla retries failed logins), they are also blocked.

This leads to administrative load, as these users will then have to ask an administrator of the service to unblock their IP.

So the idea is to automatically whitelist IP addresses from which a successful login has occurred,

Pros:

  • People are no longer blocked if they use the wrong credentials a couple of times
  • This leads to lower administrator load

Cons:

  • An extra set of configuration files has to be maintained on the servers
  • There is a possibility that a bad actor uses this setup to whitelist an IP address, and uses that as a starting point of an attack. (This seems unlikely, someone with access to a good set of credentials has better ways to bruteforce account information.)


Implementation

To enable the automated whitelisting, we need 3 extra files (a filter, an action, and a config to enable both):

/etc/fail2ban/filter.d/sshd-whitelist.conf:

[INCLUDES]

before = common.conf

[DEFAULT]

_daemon = sshd

[Definition]

failregex  = ^%(__prefix_line)s\s*Accepted (publickey|password) for \S+ from <HOST>

mode = normal

ignoreregex =

maxlines = 1

journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd

datepattern = {^LN-BEG}

/etc/fail2ban/action.d/ignoreip.conf :

[Definition]

actionstart =

actionstop  =

actioncheck = fail2ban-client status <name>

actionban   = fail2ban-client set <name> addignoreip <ip>

actionunban = fail2ban-client set <name> delignoreip <ip>

[Init]

name  = default

chain = INPUT

/etc/fail2ban/jail.local :

[DEFAULT]

ignoreself = true
ignoreip = 127.0.0.1/8

bantime  = 24 hours
findtime  = 12 hours
maxretry = 3
backend = auto

[sshd]

enabled = true
port    = ssh
logpath = %(sshd_log)s

[sshd-whitelist]

enabled  = true
port     = ssh
logpath  = %(sshd_log)s
filter   = sshd-whitelist
action   = ignoreip[name=sshd]

# If you have multiple jails to add IPs to the ignorelist, use this:
# action    = ignoreip[actname=sshd_invalid,name=sshd_invalid]
#             ignoreip[actname=wur_sshd,name=wur_sshd]

maxretry = 1
bantime  = 1 month