Adds fail2ban to ban DNS attacks

This commit is contained in:
Abhinav Sarkar 2019-03-16 05:11:23 +00:00
parent 8ddb6619b0
commit 51e4d8ff49
6 changed files with 132 additions and 0 deletions

1
.gitignore vendored
View File

@ -9,3 +9,4 @@ matomo-config
portainer-data
drone-data
site-data
pihole-log

View File

@ -23,6 +23,12 @@ $ sudo apt-get install -y docker-ce docker-compose
$ sudo gpasswd -a $USER docker
```
### Install fail2ban
```bash
$ sudo apt-get install geoip-bin geoip-database fail2ban
```
### Setup space
- copy/clone this repo to `~/space`
@ -54,3 +60,12 @@ $ sudo systemctl enable space
$ sudo systemctl start space
```
- edit `/etc/resolv.conf` to set the nameserver to `127.0.0.1`
- setup and start fail2ban
```bash
$ sudo cp fail2ban/iptables-pihole-geoip-fence.conf /etc/fail2ban/action.d/iptables-pihole-geoip-fence.conf
$ sudo cp fail2ban/pihole-geoip.conf /etc/fail2ban/filter.d/pihole-geoip.conf
$ sudo cp fail2ban/jail.local /etc/fail2ban/jail.local
$ sudo service fail2ban start
```

View File

@ -79,6 +79,7 @@ services:
volumes:
- ./pihole-data/pihole:/etc/pihole
- ./pihole-data/dnsmasq:/etc/dnsmasq.d
- ${PWD}/pihole-log/pihole.log:/var/log/pihole.log
gitea:
image: gitea/gitea:1.7

View File

@ -0,0 +1,87 @@
# Fail2Ban configuration file
#
[INCLUDES]
before = iptables-blocktype.conf
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = iptables -N f2b-<name>
iptables -A f2b-<name> -j RETURN
iptables -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
iptables -F f2b-<name>
iptables -X f2b-<name>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = iptables -n -L <chain> | grep -q 'f2b-<name>[ \t]'
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = IP=<ip> &&
COUNTRY=$(geoiplookup $IP | egrep "<country_list>") && [ "$COUNTRY" ] ||
(iptables -I f2b-<name> 1 -s <ip> -j <blocktype>)
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = IP=<ip> &&
COUNTRY=$(geoiplookup $IP | egrep "<country_list>") && [ "$COUNTRY" ] ||
(iptables -D f2b-<name> -s <ip> -j <blocktype>)
[Init]
# Option: country_list
# Notes.: List of exempted countries separated by pipe "|"
# Values: STR Default:
#
country_list = IN|India
# Default name of the chain
#
name = pihole-geoip
# Option: port
# Notes.: specifies port to monitor
# Values: [ NUM | STRING ] Default:
#
port = 53
# Option: protocol
# Notes.: internally used by config reader for interpolations.
# Values: [ tcp | udp | icmp | all ] Default: tcp
#
protocol = all
# Option: chain
# Notes specifies the iptables chain to which the fail2ban rules should be
# added
# Values: STRING Default: INPUT
chain = FORWARD
# Option: blocktype
# Note: This is what the action does with rules. This can be any jump target
# as per the iptables man page (section 8). Common values are DROP
# REJECT, REJECT --reject-with icmp-port-unreachable
# Values: STRING
blocktype = DROP

17
fail2ban/jail.local Normal file
View File

@ -0,0 +1,17 @@
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1 172.20.0.1
[pihole-geoip]
enabled = true
port = 53
protocol = udp
banaction = iptables-pihole-geoip-fence
filter = pihole-geoip
logpath = /home/abhinav/space/pihole-log/pihole.log
bantime = 604800 ; 1 week
findtime = 86400 ; 1 day
maxretry = 1

View File

@ -0,0 +1,11 @@
# Fail2Ban filter file for Pi-Hole.
# This filter blocks attacks against PiHole (dnsmasq).
[Definition]
# This will filter all 'query' requests.
failregex = query\[.*\].* from <HOST>$
# This will filter all 'query[ANY]' requests.
#failregex = query\[ANY\].* from <HOST>$