Fail2ban

Software k dynamickému blokování IP adres, když dělají něco, co nemají.

apt install fail2ban
 
cd /etc/fail2ban
cp jail.conf jail.local

Pro webserver jsem nastavoval, aby se zablokoval při portscanningu přístup na všechny porty, kromě 80 a 443. K tomu mi posloužil vytvoření soubor /etc/fail2ban/action

# Fail2Ban action configuration file for ufw
#
# You are required to run "ufw enable" before this will have any effect.
#
# The insert position should be appropriate to block the required traffic.
# A number after an allow rule to the application won't be of much use.
 
[Definition]
 
actionstart = 
 
actionstop = 
 
actioncheck = 
 
actionban = [ -n "<application>" ] && app="app <application>"
            ufw prepend <blocktype> from <ip> $app
            ufw prepend allow proto tcp from <ip> to <destination> port 80,443 $app
            #ufw insert <insertpos> <blocktype> from <ip> to <destination> port 80 $app
 
actionunban = [ -n "<application>" ] && app="app <application>"
              ufw delete <blocktype> from <ip> $app
              ufw delete allow proto tcp from <ip> to <destination> port 80,443 $app
              #ufw delete <blocktype> from <ip> to <destination> port 80 $app
 
[Init]
# Option: insertpos
# Notes.:  The position number in the firewall list to insert the block rule
insertpos = 1
 
# Option: blocktype
# Notes.: reject or deny
blocktype = deny
 
# Option: destination
# Notes.: The destination address to block in the ufw rule
destination = any
 
# Option: application
# Notes.: application from sudo ufw app list
application = 
 
# DEV NOTES:
# 
# Author: Guilhem Lettron
# Enhancements: Daniel Black

fail2ban-client set vpnserver unbanip 89.24.33.115
fail2ban-client unban 89.24.33.115