My virtual private server runs fail2ban to block IPs that have tried to gain access to my system by hammering my ssh server. Suspicious IPs get banned for a certain time with a firewall policy using iptables. The un-banning is useful in case I’ve locked myself out (because I forgot to add my current IP to the ignore list).
It would also be useful to block certain IPs permanently. I’ve written a little Perl script that does just that. It parses fail2ban.log, removes duplicate entries, removes IPs to be ignored (safe machines) and adds the data to the hosts.allow file of my machine. Entries are marked in a way that shows the automatic nature of their existance, and previously present data is untouched.
All daemons supporting this mechanism (sshd, cupsd, vsftpd to name a few) can benefit from this.
A typical entry looks like this:
|
1 2 3 4 5 |
# auto-script begin/end # ALL: www.xxx.yyy.zzz : DENY ... ... # auto-script begin/end # |
“ALL:” blocks access to all supported daemons, but could be replaced with “sshd:” to just block incoming ssh requests from those IPs.
Download the script. Don’t forget to add your own sanity checks.
I just put this script into /etc/cron.daily/ so it’s updated once a day.
You might want to have a look at DenyHosts, it does all of the above and even includes the option to regularly update its blocklist from a centralised server, to which you can choose to contribute to.
Thanks, I’ll have a look at it.