This is my second post on the above subject.\u00a0 I have now started using ipsets to handle blocking of ip addresses at my firewalls.\u00a0 For the purposes of this post, the ipsets will be call F2BLIST for ipv4 and F2BLIST6 for ipv6 address.\u00a0 In the shorewall init file, place the following code:<\/p>\n
ipset create F2BLIST hash:ip timeout 300 -exist<\/p>\n
This creates an ipset with a default timeout of 300 seconds, and won’t throw an error if it already exists (if you happen to restart shorewall).<\/p>\n
Next add a rule to the shorewall rules file like:<\/p>\n
?SECTION ALL<\/p>\n
DROP:info net:+F2BLIST all<\/p>\n
Next, create a new action file under \/etc\/fail2ban\/action.d\/ called shorewall-ipset.conf<\/p>\n
[Definition]
\nactionstart =
\nactionstop =
\nactioncheck =
\nactionban = ipset add F2BLIST <ip> timeout <bantime> -exist
\nactionunban =
\n[Init]
\nblocktype = logdrop
\nbantime = 600<\/p>\n
The last line sets the default ban time to 600 seconds.\u00a0 Next, create a jail in \/etc\/fail2ban\/jail.local like the following:<\/p>\n
[ssh-shorewall]<\/p>\n
enabled = true
\nfilter = sshd
\naction = shorewall-ipset[bantime=3600]
\nsendmail-geoip-lines[name=SSH, dest=youremail, sender=anotheremail, logpath=\/var\/log\/messages]
\nlogpath = \/var\/log\/messages
\nmaxretry = 3<\/p>\n
This jail sets the ban time to 3600 seconds, and uses the default findtime.\u00a0 A recidive jail could look like the following:<\/p>\n
[recidive]<\/p>\n
enabled = true
\nfilter = recidive
\nlogpath = \/var\/log\/fail2ban.log
\naction = shorewall-ipset[bantime=172800]
\nsendmail-geoip-lines[name=recidive, logpath=\/var\/log\/fail2ban.log]
\nfindtime = 172800 ; 2 day
\nmaxretry = 2<\/p>\n
The beauty of the ipsets is that the kernel handles expiring the entry, so you don’t have to worry about fail2ban expirying an ip that is still supposed to be blocked in the recidive jail.\u00a0 If you issue the following command:<\/p>\n
ipset list<\/p>\n
it will show the ipset and all the entries in it with the corresponding seconds left for each ip to expire.<\/p>\n","protected":false},"excerpt":{"rendered":"
This is my second post on the above subject.\u00a0 I have now started using ipsets to handle blocking of ip addresses at my firewalls.\u00a0 For the purposes of this post, the ipsets will be call F2BLIST for ipv4 and F2BLIST6 for ipv6 address.\u00a0 In the shorewall init file, place the following code: ipset create F2BLIST … Continue reading Shorewall, Ipsets, Fail2Ban and Recidive Jail v.2<\/span>