Standard configuration fail2ban / how to modify it

Delta · July 12, 2018, 8:14am

Hello

I got A LOT tentative of connexion on my server (especially on nginx), and and would like to make a rules for fail2ban to ban some ip after a number of tentative.

But i don’t know how to do a rule. I don’t know if i must do a rule on fail2ban or nginx.

for exemaple, i have this kind of request :

2018/07/12 09:00:30 [crit] 1076#1076: *1492 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 217.182.143.96, server: 0.0.0.0:443
2018/07/12 09:00:30 [crit] 1076#1076: *1500 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 217.182.143.96, server: 0.0.0.0:443
2018/07/12 09:00:31 [crit] 1076#1076: *1515 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 217.182.143.96, server: 0.0.0.0:443
2018/07/12 09:00:31 [crit] 1076#1076: *1522 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 217.182.143.96, server: 0.0.0.0:443

217.182.143.96 - - [12/Jul/2018:09:00:34 +0200] “\x15\x03\x02\x00\x02\x01\x00” 400 166 “-” “-”
217.182.143.96 - - [12/Jul/2018:09:00:34 +0200] “\x15\x03\x02\x00\x02\x01\x00” 400 166 “-” “-”
217.182.143.96 - - [12/Jul/2018:09:00:34 +0200] “\x15\x03\x02\x00\x02\x01\x00” 400 166 “-” “-”
217.182.143.96 - - [12/Jul/2018:09:00:34 +0200] “\x15\x03\x02\x00\x02\x01\x00” 400 166 “-” “-”
217.182.143.96 - - [12/Jul/2018:09:00:35 +0200] “\x15\x03\x02\x00\x02\x01\x00” 400 166 “-” “-”

And i would like to ban this guy for some day for example.
What is the way ?

ljf · September 5, 2018, 10:58am

If it’s not too late:

Add a file /etc/fail2ban/jail.d/SOMETHING.conf
[SOMETHING]
enabled = true
port = 443
logpath = /path/to/your/log
maxretry = 3

Add a file /etc/fail2ban/filter.d/SOMETHING.conf
[INCLUDES]
before = common.conf
[Definition]
failregex = “\x15\x03\x02\x00\x02\x01\x00”
ignoreregex =

And restart fail2ban

kanhu · September 5, 2018, 11:59am

@ljf
Can we add multiple ip’s in the conf file?

Suggestion:
Here is a script I use personally and can be implemented on Yunohost to block large number of ip’s got from blacklist database from third-party sites and from customization according to the need. https://github.com/trick77/ipset-blacklist