Blocking IPs after breakin attempts with tcpwrapper and fail2ban

My virtual private server runs fail2ban to block IPs that have tried to gain access to my system by hammering my ssh server. Suspicious IPs get banned for a certain time with a firewall policy using iptables. The un-banning is useful in case I’ve locked myself out (because I forgot to add my current IP to the ignore list).

It would also be useful to block certain IPs permanently. I’ve written a little Perl script that does just that. It parses fail2ban.log, removes duplicate entries, removes IPs to be ignored (safe machines) and adds the data to the hosts.allow file of my machine. Entries are marked in a way that shows the automatic nature of their existance, and previously present data is untouched.

All daemons supporting this mechanism (sshd, cupsd, vsftpd to name a few) can benefit from this.

A typical entry looks like this:

“ALL:” blocks access to all supported daemons, but could be replaced with “sshd:” to just block incoming ssh requests from those IPs.

Download the script. Don’t forget to add your own sanity checks.

I just put this script into /etc/cron.daily/ so it’s updated once a day.

This entry was posted in Computer / Server and tagged , , , , . Bookmark the permalink.

2 Responses to Blocking IPs after breakin attempts with tcpwrapper and fail2ban

  1. jan says:

    You might want to have a look at DenyHosts, it does all of the above and even includes the option to regularly update its blocklist from a centralised server, to which you can choose to contribute to.

  2. robert says:

    Thanks, I’ll have a look at it.

Comments are closed.