Thursday, November 25, 2010

Fail2ban Manual Unban Single Host (for iptables)

UPDATE: Starting with version 0.8.8, the unban operations are now built-in, it is executed through the fail2ban-client app like this

# fail2ban-client set [ban-name] unbanip [ip]
# e.g. fail2ban-client set asterisk-iptables unbanip 8.8.8.

Check out the changelog here. Get version 0.8.8 here.  You really should be upgrading your fail2ban to that above version and use the built-in tool.

 

 

[WARNING- THESE BELOW ARE OUTDATED]

Fail2Ban is a great way to protect your server from malicious attempts of brute force and other events that are deemed a problem. It does by very smartly checking your logs and if a particular event is repeated n number of times, you can set actions such as blocking or unblocking using software such as iptables based or software based firewalls or even write scripts to modify an external firewall.


There’s one drawback about it and that is the ability to unban just one IP (many reasons why that might be needed). Just follow these instructions and get the necessary script and you will have an idea or a fully working unban function (if you use iptables to ban)
Version that you MUST USE: Fail2Ban v0.8.4. Download and install Fail2Ban version 0.8.4, for Asterisk fail2banning for SIP brute force attack. Some help with installation
here.

This guide was designed on a Debian system. Customization may be required. You can check the version after installing via cli like below
# fail2ban-client –V

Create the unban script, you may need to modify certain settings that would then match your jail setting, actions (in this script its for iptables) and logging options.
# cd /usr/src
# wget http://210.5.42.12/downloads/asterisk/misc/unban
# chmod +x unban

Now, we change or manipulate the actions.py file from Fail2ban for proper handling of unban script unbanning. You may need to modify this if it is not IPtables you use for banning action. See the section def __checkBan in actions.py there’s a modification of an external check command there called mycheck. If mycheck condition is true (returned value 0) it will proceed to ban that IP. The issue we had by just unbaning using the unban script was that fail2ban didn’t know we unban manually using cli. This caused fail2ban to never ban again the IP you just banned because it think that IP is still in its ban list. This “fix” ensures that the process/procedure will check against iptables (or any of your ban action) and reissue a ban if it doesn’t have the IP in its entry (like doing a iptables –n –-list)


# cd /usr/share/fail2ban/server/
# mv actions.py actions.py.original
# wget
http://210.5.42.12/downloads/asterisk/misc/actions.py

Restart fail2ban (WARNING, RESTARTS WILL FLUSH ALL BAN IPs OFF THE LIST!)
# /etc/init.d/fail2ban restart

Try it out for yourself to unban some IP
# unban 202.188.0.133

If you do not specify an IP, it will list all banned IPs inside the Jailed context.

Post a Comment