: Fail2Ban & Port-Scanning Is there any filter built into Fail2Ban to temporarily ban any IP addresses which attempt port scanning activities (provided that iptables logs these activities)?
Is there any filter built into Fail2Ban to temporarily ban any IP addresses which attempt port scanning activities (provided that iptables logs these activities)?
More posts by @Murray155
1 Comments
Sorted by latest first Latest Oldest Best
you can add it like this (when you have iptables ... -j LOG to mark scans you want) by adding additional fail2ban filter like this
# Option: failregex
# Notes: Looks for attempts on ports not open in your firewall. Expects the
# iptables logging utility to be used. Add the following to your iptables
# config, as the last item before you DROP or REJECT:
# -A <chain_name> -j LOG --log-prefix "PORT DENIED: " --log-level 5 --log-ip-options --log-tcp-options --log-tcp-sequence
# This will place a notice in /var/log/messages about any attempt on a port that isn't open.
failregex = PORT DENIED: .* SRC=<HOST>
by creating a file in /etc/fail2ban/filter.d (not /etc/fail2ban/filters.d) directory. more information
Or you could use programs like PortSentry to do the blocking/releasing after some timeout, which have some more advanced features. Note however that blocking is not bulletproof -- due to way TCP/IP works (UDP packets, or TCP packets before completed 3way handshake) it is quite possible (as portscanners have options to also send lots of faked source IP packets in order to hide real scanner) that you'll end up blocking lots of innocent users (possibly including your own admin access to the server).
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.