Fail2ban + Tarpit

This website is hosted on my own dedicated server (a kimsufi) and like every server, it’s getting regularly attacked.

To identify those attacks, I needed to add a layer of security to ban recurrent attempt, this layer is Fail2ban. It’s a widely known and recognized python script that analyses your log file to ban repetitive failed authentication.

I had enough of getting the same IP banned, and found only a simple script that add a new action to fail2ban: Tarpit.

If you are not sure what the tarpit target is or why you would want to use it, a basic explanation is that you send unwanted TCP traffic to the tarpit target with iptables. All connections are accepted and immediately switched to the persist state. The remote side stops sending data and asks to continue every 60-240 seconds and attempts to close the connections from the remote side are ignored. The connection will then timeout in 12-24 minutes.

You can find here a good tutorial on how to install TARPIT on your debian machine (if its kernel support loading modules). By using part of Phil Hagen fail2ban action, I created mine that use also TARPIT.

Here is my fail2ban action:

And here is an excerpt of my jail.local

# Multi Ban
# 3 ban in 24 hour & Ban for 1 week
[multi-ban]
enabled = true
filter = ban
logpath = /var/log/fail2ban.log
maxretry = 3
findtime = 86400
#action = iptables-allports[name=multiban]
action = iptables-tarpit[name=multiban]
bantime = 604800

And the filter used to check for previous ban:

# Fail2Ban configuration file
#
# Author: Nicolargo
#
[Definition]
# Option: failregex
# Filter Ban in the fail2ban.log
failregex = .*Ban\ <HOST>
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
Antoine Aflalo Written by:

One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *