0

I have fail2ban set up to ban anyone who tries to connect via. ssh without my certificate.

I currently have a list of 1886 banned addresses (and counting), majority of which originate from China. China is not my target audience for my nginx web server, so I am able to block the entire country with geoip_country, however I would also like to specifically deny access to http/https/git from those specifically on the ban list too.

I have these two configurations:

[nginx-http-auth]
enabled  = true
filter   = nginx-http-auth
port     = http,https
logpath  = %(nginx_error_log)s
maxretry = 3
bantime  = -1

and

[sshd]
enabled  = true
port     = ssh
logpath  = %(sshd_log)s
backend  = %(sshd_backend)s
maxretry = 3
findtime = 600
bantime  = -1

Is there a way I can combine these two together? Ban anywhere, apply block anywhere?
I'm not quite sure how to do any tests, given if I ban myself I'd get locked out (static ip)?

Improve this question
2
  • 2
    There are numerous VPN providers that would allow you to tweak and test your server configuration without banning your own static IP address
    – Ramhound
    Commented Feb 20, 2021 at 19:12
  • @Ramhound Ah, that's an idea!
    – agregate
    Commented Feb 20, 2021 at 19:50

1 Answer 1

Reset to default
0

Is there a way I can combine these two together? Ban anywhere, apply block anywhere?

Fail2ban has several *-allports actions (default is multiport), so you can simply set it as banaction. There is also a default substitution variable banaction_allports in your jail.conf, so normally it would be enough to overwrite banaction with that in your jail.local for jail or default section:

[DEFAULT]
# banaction = iptables-allports
banaction = %(banaction_allports)s

# [sshd]
# # banaction = iptables-allports
# banaction = %(banaction_allports)s

Some multiport actions allows set ports like 0:65535, so you can also use port = 0:65535 in corresponding jails (but allports would ban also in all protocols etc).

given if I ban myself I'd get locked out (static ip)?

You can add your (dynamic?) IP to ignoreip of fail2ban to avoid ban during your tests, also temporary using command line:

# add 192.0.2.1 to be ignored in sshd:
fail2ban-client set sshd addignoreip 192.0.2.1

# remove 192.0.2.1 to be ignored in sshd:
fail2ban-client set sshd delignoreip 192.0.2.1
Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .