Drop repeat-offending IP addresses in-kernel (netfilter)
- Repo: github.com/pepa65/fail2drop
- License: GPLv3+
- After: github.com/apache2046/fail2drop
- Packets from IPs dropped in-kernel with Netfilter (nftables) rules.
- Golang version: Linux small single stand-alone binary distribution with Golang source:
- Uses a rule for each banned IP in NFT.
- Can install systemd unit file for automated start (but also runs fine without
systemd). - Can uninstall the systemd unit file and stop & disable the service.
- Installs a basic configfile for sshd when not present.
- Package
nftables(binarynft) does not need to be installed (but do install it to check counts/state/results!). - Can use an alternate configfile from the commandline, otherwise
fail2drop.ymlin the current directory will be used, and finally/etc/fail2drop.yml.
- Bash version: requires package
nftables(tested to work with version0.8.2and up):- Does not use
systemd. - Uses sets of IP addresses with a single rule in NFT.
- Does not use
- Both versions use the configfile (
/etc/fail2drop.ymlby default):- Logging to single file which can be specified in configfile.
- IPs can be whitelisted in configfile.
- Multiple logfiles can be monitored with multiple patterns and bancounts from configfile.
- Both versions can run with
noaction: list to-be-banned IP addresses without affecting the system. - Both versions can run once (or occasionally from
cron) to add drop rules to nftables without needing to constantly monitor the log files, for very lightweight operation. (In this case the output is to stdout, so it wants redirecting in cron jobs.) - Running
noaction,helporversionrequires no privileges (the other options do).
- Required:
sudo(or any way to operate with root privileges)
- Required:
wget(or any other way to download the binary) - Get the appropriate link to the latest released binary at: https://github.com/pepa65/fail2drop/releases
- Or use
4e4.in/fail2drop:
wget -q 4e4.in/fail2drop
chmod +x fail2drop
sudo ./fail2drop install
# Edit /etc/fail2drop.yml if required, and if changed, do:
sudo systemctl restart fail2drop
- Or for
fail2drop.sh, usegitlab.com/pepa65/fail2drop/raw/main/fail2drop.sh, or:
wget -q 4e4.in/fail2drop.sh
chmod +x fail2drop.sh
sudo cp fail2drop.sh /usr/local/bin/
sudo chown root:root /usr/local/bin/fail2drop.sh
wget -q 4e4.in/fail2drop.yml
sudo cp fail2drop.yml /etc/
sudo chown root:root /etc/fail2drop.yml
- Required:
goproperly installed
sudo go install github.com/pepa65/fail2drop@latest
sudo fail2drop install
# Edit /etc/fail2drop.yml if required, and if changed, do:
sudo systemctl restart fail2drop
- Required:
gitgo
git clone https://github.com/pepa65/fail2drop
cd fail2drop
go build
sudo cp fail2drop.yml /etc/
# Edit /etc/fail2drop.yml
sudo chown root:root /etc/fail2drop.yml
sudo ./fail2drop install
Install, then uninstall (the binary and configfile will stay).
Then add this command to a crontab: /usr/local/bin/fail2drop --once 2>>/var/log/fail2drop.log
(The output of once is on stderr.)
Or add: /usr/local/bin/fail2drop.sh 2>>/var/log/fail2drop.log
(The output of the bash version is also on stderr.)
# Also uninstalls, stops and disables the systemd unit file if present
fail2drop uninstall
- The Golang version can be removed with:
sudo rm /usr/local/bin/fail2drop - The Bash version can be removed with:
sudo rm /usr/local/bin/fail2drop.sh - The configfile can be removed with:
sudo rm /etc/fail2drop.yml
Basically, run continuously through the systemd service file, or run occasionally
with the once option, or run 'once' without affecting the system to see what
would get added to the banned list by running with the noaction option.
fail2drop v0.15.0 - Drop repeat-offending IP addresses in-kernel (netfilter)
Repo: github.com/pepa65/fail2drop
Usage: fail2drop [OPTION] [CONFIGFILE]
OPTION:
-o|once: Add to-be-banned IPs in a single run (or from 'cron').
-n|noaction: Do a 'once' single run without affecting the system.
-i|install: Install the binary, a template for the configfile, the
systemd unit file and enable & start the service.
-u|uninstall: Stop & disable the service and remove the unit file.
-h|help: Show this help text.
-V|version: Show the version.
CONFIGFILE: Used if given, otherwise 'fail2drop.yml' in the current
directory or finally '/etc/fail2drop.yml' will get used.
Privileges are required to run except for 'noaction', 'help' and 'version'.
- See the included example configfile
fail2drop.yml(works for sshd on Ubuntu). - The logfile recording the bans is
/var/log/fail2drop.logby default, but can be specified in the configfile withvarlog:. - IP addresses can be whitelisted under
whitelist:(prepended by-). - Multiple
searchlogconditions can be named and specified, after:logfile:- The path of the log file to be searchedtag:- The initial search tag to filter lines in the log fileipregex:- A regular expression that should contains an offending IP address.bancount:- The maximum number of offences allowed.
- If
/etc/fail2drop.ymldoes not exist,fail2drop installwill put the repo content offail2drop.ymlthere. This can be modified and extended.
- Check current table with:
sudo nft list ruleset(nftfrom packagenftables). - Check the log of banned IPs:
less /var/log/fail2drop.log - Unban all banned entries:
sudo nft delete table inet fail2drop - To remove the ban on a specific IP address for the Golang version, use this function:
f2delg(){ # 1:IP-address
local a=$1 x i h
if [[ ${a//:} = $a ]]
then
printf -v i '0x%02x%02x%02x%02x' ${a//./ }
else
[[ $a = ${a#::} ]] || a=0$a
[[ $a = ${a%::} ]] || a+=0
printf -v x '%8s' ${a//[^:]}
x=${x//:} x=:${x// /0:}
a=${a/::/$x}
printf -v i '0x%4s%4s%4s%4s%4s%4s%4s%4s\n' ${a//:/ }
i=${i// /0}
fi
h=$(sudo nft -a list table inet fail2drop |grep "$i")
h=${h##* }
sudo nft delete rule inet fail2drop FAIL2DROP handle $h
}
- To remove the ban on a specific IP address for the bash version, use this function:
f2delb(){ # 1:IP-address
[[ ${1//:} = $1 ]] && set=badip || set=badip6
sudo nft delete element inet fail2drop $set "{$1}"
}
Basically, run the new binary with the install option.
cd fail2drop # Go to the directory with the cloned repo
git pull
# For the Golang version:
go build && ./fail2drop install
To update the Bash version fail2drop.sh without downloading the whole repo:
wget -q 4e4.in/fail2drop.sh
chmod +x fail2drop.sh
sudo cp fail2drop.sh /usr/local/bin/
sudo chown root:root /usr/local/bin/fail2drop.sh