FAIL2BANLITE

NAME

Fail2banlite is a set of perl scipts intended to provide the core functionality of fail2ban in conjunction with the ufw firewall

SYNOPSIS

The scripts scan system log files for undesirable/hacking activity then ban that ip address by adding a corresponding firewall input deny rule

Undesirable activity is identified within the logs by trigger regexes within the scripts. Triggers are aggressive, some create immediate bans (eg an attempt to run a known php vulnerabilty script) while others allow mutiple attempts (eg logins in case of a senior moment)

Bans are permanent and need to be manually revoked by the removal of the corresponding firewall input deny rule

DESCRIPTION

Typical ufw setup rules are:

ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw allow www
ufw allow ftp

To block an ip address the scripts do this:

ufw insert 1 deny from <IP>
(essentially insert a drop at the top of the input chain for the ip address)

To unblock an ip address you need to do this:

ufw status numbered
ufw delete <NUM>

APPLICATION

The scripts are intended to be run as root CRON jobs say every minute. Note that to avoid ufw collisions jobs should be staggered via a sleep(few seconds)

To avoid banning yourself there is a harcoded ip white list in each script

Banned addresses by service are logged to /var/log/ban.log with a creation timestamp. The intention of the timestamp is to enable the ban list to be reviewed say monthly and ancient bans removed. This limits the ban list size

BUGS

None

AUTHOR

John Bartlett

SEE ALSO

Standalone