Adds fail2ban to ban DNS attacks

.gitignore

@@ -9,3 +9,4 @@ matomo-config
 portainer-data
 drone-data
 site-data
+pihole-log

README.md

@@ -23,6 +23,12 @@ $ sudo apt-get install -y docker-ce docker-compose
 $ sudo gpasswd -a $USER docker
 ```
 
+### Install fail2ban
+
+```bash
+$ sudo apt-get install geoip-bin geoip-database fail2ban
+```
+
 ### Setup space
 
 - copy/clone this repo to `~/space`
@@ -54,3 +60,12 @@ $ sudo systemctl enable space
 $ sudo systemctl start space
 ```
 - edit `/etc/resolv.conf` to set the nameserver to `127.0.0.1`
+- setup and start fail2ban
+
+```bash
+$ sudo cp fail2ban/iptables-pihole-geoip-fence.conf /etc/fail2ban/action.d/iptables-pihole-geoip-fence.conf
+$ sudo cp fail2ban/pihole-geoip.conf /etc/fail2ban/filter.d/pihole-geoip.conf
+$ sudo cp fail2ban/jail.local /etc/fail2ban/jail.local
+$ sudo service fail2ban start
+```
+

docker-compose.yml

@@ -79,6 +79,7 @@ services:
     volumes:
       - ./pihole-data/pihole:/etc/pihole
       - ./pihole-data/dnsmasq:/etc/dnsmasq.d
+      - ${PWD}/pihole-log/pihole.log:/var/log/pihole.log
 
   gitea:
     image: gitea/gitea:1.7

fail2ban/iptables-pihole-geoip-fence.conf

@@ -0,0 +1,87 @@
+# Fail2Ban configuration file
+#
+
+[INCLUDES]
+
+before = iptables-blocktype.conf
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart = iptables -N f2b-<name>
+              iptables -A f2b-<name> -j RETURN
+              iptables -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
+             iptables -F f2b-<name>
+             iptables -X f2b-<name>
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck = iptables -n -L <chain> | grep -q 'f2b-<name>[ \t]'
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionban = IP=<ip> &&
+            COUNTRY=$(geoiplookup $IP | egrep "<country_list>") && [ "$COUNTRY" ] ||
+            (iptables -I f2b-<name> 1 -s <ip> -j <blocktype>)
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionunban = IP=<ip> &&
+              COUNTRY=$(geoiplookup $IP | egrep "<country_list>") && [ "$COUNTRY" ] ||
+              (iptables -D f2b-<name> -s <ip> -j <blocktype>)
+
+[Init]
+
+# Option:  country_list
+# Notes.:  List of exempted countries separated by pipe "|"
+# Values:  STR  Default:
+#
+country_list = IN|India
+
+# Default name of the chain
+#
+name = pihole-geoip
+
+# Option:  port
+# Notes.:  specifies port to monitor
+# Values:  [ NUM | STRING ]  Default:
+#
+port = 53
+
+# Option:  protocol
+# Notes.:  internally used by config reader for interpolations.
+# Values:  [ tcp | udp | icmp | all ] Default: tcp
+#
+protocol = all
+
+# Option:  chain
+# Notes    specifies the iptables chain to which the fail2ban rules should be
+#          added
+# Values:  STRING  Default: INPUT
+chain = FORWARD
+
+# Option:  blocktype
+# Note:    This is what the action does with rules. This can be any jump target
+#          as per the iptables man page (section 8). Common values are DROP
+#          REJECT, REJECT --reject-with icmp-port-unreachable
+# Values:  STRING
+blocktype = DROP

fail2ban/jail.local

@@ -0,0 +1,17 @@
+[DEFAULT]
+
+# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
+# ban a host which matches an address in this list. Several addresses can be
+# defined using space separator.
+ignoreip = 127.0.0.1 172.20.0.1
+
+[pihole-geoip]
+enabled  = true
+port     = 53
+protocol = udp
+banaction = iptables-pihole-geoip-fence
+filter   = pihole-geoip
+logpath  = /home/abhinav/space/pihole-log/pihole.log
+bantime  = 604800  ; 1 week
+findtime = 86400   ; 1 day
+maxretry = 1

fail2ban/pihole-geoip.conf

@@ -0,0 +1,11 @@
+# Fail2Ban filter file for Pi-Hole.
+# This filter blocks attacks against PiHole (dnsmasq).
+
+[Definition]
+
+# This will filter all 'query' requests.
+failregex = query\[.*\].* from <HOST>$
+
+# This will filter all 'query[ANY]' requests.
+#failregex = query\[ANY\].* from <HOST>$
+