Centralize Fail2Ban - Part 1

collect server attack IP for a centralized fail2ban Warding potential server attacks with a centralized Fail2Ban

Fail2ban is a great tool to detect potential attacks on servers and block the recognized IP over all important services. Unfortunately, fail2ban is only designed to run on a server. It protects only the server on which it is running. But if there are multiple servers, you will quickly discover that the same IP soon shakes the "doors" of the other servers. With a few simple steps you can make fail2ban able to share the discovered IP's with other systems, so that they can isolate themselves also. Another way to hedge would also be the push the fail2ban detected IP's on a parent router or switch. In the first part of the HowTo, we write the IP of an attacker in a MySql database so that other systems can access this database. There are, of course, many ways to share these data with other systems than through a database. As always, the sky is no limits.

System Requirements

This HowTo assumes that fail2ban, iptables, mysql and php is installed functional on the system.
On Ubuntu, you can quickly do:

root@devserv3:~# sudo apt-get install php5 mysql-server fail2ban iptables
            

Next, we have to create a database in MySql, the database called "fail2ban". In this database, a table is created:

CREATE TABLE IF NOT EXISTS `erp_core_fail2ban` (
  `id` bigint(20) unsigned NOT NULL AUTO_INCREMENT,
  `hostname` varchar(255) COLLATE utf8_unicode_ci DEFAULT NULL,
  `created` datetime NOT NULL,
  `name` text COLLATE utf8_unicode_ci NOT NULL,
  `protocol` varchar(16) COLLATE utf8_unicode_ci NOT NULL,
  `port` varchar(32) COLLATE utf8_unicode_ci NOT NULL,
  `ip` varchar(64) COLLATE utf8_unicode_ci NOT NULL,
  PRIMARY KEY (`id`),
  KEY `hostname` (`hostname`,`ip`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
            

PHP script for passing the fail2ban IP

Now comes a small PHP script to use, which will accept the IP address, port, protocol, and the fail2ban Jailnamen and writes to the MySQL database.
The PHP script is created in the directory: /root and we make it executable. In addition, read permissions should be revoked for unauthorized persons!

root@devserv3:~# cd /root && touch fail2ban.php && chmod +x fail2ban.php
            

fail2ban.php is filled with the following content:

#!/usr/bin/php -n
<?php
$name = $_SERVER["argv"][1];
$protocol = $_SERVER["argv"][2];
$port = $_SERVER["argv"][3];
if (!preg_match('/^\d{1,5}$/', $port))
    $port = getservbyname($_SERVER["argv"][3], $protocol);
$ip = $_SERVER["argv"][4];

$hostname = gethostname();

// connect to mysql by hostname, username and password
$link = mysql_connect('devserv3', 'fail2ban', 'password') or die('Could not connect: ' . mysql_error());
mysql_select_db('fail2ban') or die('Could not select database');
$query = 'INSERT INTO `fail2ban` set hostname="' . addslashes($hostname) . '", name="' . addslashes($name) . '", protocol="' . addslashes($protocol) . '", port="' . addslashes($port) . '", ip="' . addslashes($ip) . '", created=NOW()';
$result = mysql_query($query) or die('Query failed: ' . mysql_error());
mysql_close($link);
exit;
            

Now you can test the script and check if datas in database arrive.

root@devserv3:~# ./fail2ban.php jailname ssh 22 123.123.123.123
            

Fail2ban IP store in MySql Database

Connection to Fail2Ban

If the script works we can create the connection to Fail2Ban.
To do this, change to the fail2ban configuration directory.

root@devserv3:~# cd /etc/fail2ban/ && ls -al
total 28
drwxr-xr-x  4 root root 4096 Feb 13 14:56 .
drwxr-xr-x 97 root root 4096 Feb 13 15:28 ..
drwxr-xr-x  2 root root 4096 Feb 13 14:56 action.d
-rw-r--r--  1 root root  853 Nov 29  2011 fail2ban.conf
drwxr-xr-x  2 root root 4096 Feb 13 14:56 filter.d
-rw-r--r--  1 root root 7346 Jun 18  2013 jail.conf
root@devserv3:/etc/fail2ban#

In the files jail.conf and jail.local (must not be present), the jails and the banaction are defined.
Here once the example from Jail "pam-generic".

[pam-generic]
enabled  = true
filter   = pam-generic
port     = all
banaction = iptables-multiport
logpath  = /var/log/auth.log

The line with the banaction sets with which action the IP to be treated.
If no banaction at Jail specified, the default banaction is used. This is defined in the same file, in the [DEFAULT]. In general, the action is the iptables-multiport.
In the action folder "action.d" the file iptables multiport.conf should be found.
This file is now extended that, when a IP is banned then also our PHP script is called. Calling all parameters such as IP, port, etc. are passed.
After the line with actionban = ..... a new row inserted to invoke the PHP script:

actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP /root/fail2ban.php <name> <protocol> <port> <ip>

Now fail2ban even have to be restarted. In the fail2ban logs can be checked whether there was an error.

root@devserv3:~# /etc/init.d/fail2ban restart
root@devserv3:~# cat /var/log/fail2ban.log

From now on, intrusions are detected and logged in the database.
In the second part of the HOWTO (coming soon) will be described how to distribute the IP addresses from the database on another server.




Continue to Part 2 - Read and lock Fail2ban IP from the DB

Status: 2015-10-15
Fail2ban centralize - IP share or saving
How do you like the article?
4.55 Currently 21 Ratings = 4.5star_rate

commentComments

Great, thats it what i'm looking for.
Now I'm curious at part 2.

Junifer - 2014-02-25 at 10:12

Very good idea, when will you release Part II?

Timo - 2014-04-14 at 14:15

Great article. Can't wait to read part two.

Jeremy - 2014-10-30 at 00:46

I'm guessing part 2 will never arrive. I have to wonder if the author knows how to do this....

Floon - 2014-12-15 at 16:27

change the fail2ban.php line 15 :

"$query = 'INSERT INTO `erp_core_fail2ban` .... " to "$query = 'INSERT INTO `erp_core_fail2ban` ... "

and change the actionban :
"/root/fail2ban.php " to (whereis php) "/(php location)/php -f /root/fail2ban.php "

its work fine
thanks my friend

murat budak - 2015-01-14 at 16:26

I know this is a dead thread, but it comes up high in google so i thought i would share a link that may help people with part 2

http :// serverfault.com/questions/625656/sharing-of-fail2ban-banned-ips

btown - 2015-09-29 at 20:50

Hi! I wrote an adhoc set of tools for fail2ban, that use the zeromq api. You might find it interesting too! :)

Feel free to mail me if you want to get on my fail2ban-zmq cluster for testing purposes.

bye!!!

Buanzo - 2015-10-11 at 00:14

Since fail2ban has his own db and php needs PDO the script doesn't work.
I make some changes at my own risk but I don't know how to find the protocol or name works fine like before.

You can see this at https://www.ditsibits.tk/bloqueig/estadistiques.php
and make from the log here: https://www.ditsibits.tk/bloqueig/bloqueados.php

If anyone knows how to find this, I'll share the script when it will be finished.

Thanks in advance.
Have a nice day.

Ignasi Belarte - 2016-12-09 at 08:48

commentLeave a comment

auteTVcqUhx7S