Wednesday, August 19, 2009

fail2ban – Block w00t.w00t Scanners

SkyHi @ Wednesday, August 19, 2009
HowFlow — here i explain my solution to ban a host that scans my system with dfind/w00tw00t. this solution requires a preinstalled fail2ban.

Share it! Posted by Avatar idl0r about 1 year ago
View Profile

Add to: submit 'block w00tw00t scan-hosts with fail2ban' to del.icio.us submit 'block w00tw00t scan-hosts with fail2ban' to digg

NOTE: since fail2ban >=0.8.1 there is allready a the action file ’/etc/fail2ban/action.d/iptables-allports.conf’.
if you use a version >=0.8.1 you can skip point 1 and 2 and continue with 3.

You must create two new files in /etc/fail2ban.

1. create /etc/fail2ban/action.d/iptables-allports.conf

2. insert the text below



# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified: Yaroslav O. Halchenko
# made active on all ports from original iptables.conf
#
# $Revision: 658 $
#

[Definition]

# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = iptables -N fail2ban-
iptables -A fail2ban- -j RETURN
iptables -I INPUT -p -j fail2ban-

# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = iptables -D INPUT -p -j fail2ban-
iptables -F fail2ban-
iptables -X fail2ban-

# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = iptables -n -L INPUT | grep -q fail2ban-

# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: IP address
# number of failures
#