Thursday, November 25, 2010

Fail2ban Manual Unban Single Host (for iptables)

UPDATE: Starting with version 0.8.8, the unban operations are now built-in, it is executed through the fail2ban-client app like this

# fail2ban-client set [ban-name] unbanip [ip]
# e.g. fail2ban-client set asterisk-iptables unbanip 8.8.8.

Check out the changelog here. Get version 0.8.8 here.  You really should be upgrading your fail2ban to that above version and use the built-in tool.

 

 

[WARNING- THESE BELOW ARE OUTDATED]

Fail2Ban is a great way to protect your server from malicious attempts of brute force and other events that are deemed a problem. It does by very smartly checking your logs and if a particular event is repeated n number of times, you can set actions such as blocking or unblocking using software such as iptables based or software based firewalls or even write scripts to modify an external firewall.


There’s one drawback about it and that is the ability to unban just one IP (many reasons why that might be needed). Just follow these instructions and get the necessary script and you will have an idea or a fully working unban function (if you use iptables to ban)
Version that you MUST USE: Fail2Ban v0.8.4. Download and install Fail2Ban version 0.8.4, for Asterisk fail2banning for SIP brute force attack. Some help with installation
here.

This guide was designed on a Debian system. Customization may be required. You can check the version after installing via cli like below
# fail2ban-client –V

Create the unban script, you may need to modify certain settings that would then match your jail setting, actions (in this script its for iptables) and logging options.
# cd /usr/src
# wget http://210.5.42.12/downloads/asterisk/misc/unban
# chmod +x unban

Now, we change or manipulate the actions.py file from Fail2ban for proper handling of unban script unbanning. You may need to modify this if it is not IPtables you use for banning action. See the section def __checkBan in actions.py there’s a modification of an external check command there called mycheck. If mycheck condition is true (returned value 0) it will proceed to ban that IP. The issue we had by just unbaning using the unban script was that fail2ban didn’t know we unban manually using cli. This caused fail2ban to never ban again the IP you just banned because it think that IP is still in its ban list. This “fix” ensures that the process/procedure will check against iptables (or any of your ban action) and reissue a ban if it doesn’t have the IP in its entry (like doing a iptables –n –-list)


# cd /usr/share/fail2ban/server/
# mv actions.py actions.py.original
# wget
http://210.5.42.12/downloads/asterisk/misc/actions.py

Restart fail2ban (WARNING, RESTARTS WILL FLUSH ALL BAN IPs OFF THE LIST!)
# /etc/init.d/fail2ban restart

Try it out for yourself to unban some IP
# unban 202.188.0.133

If you do not specify an IP, it will list all banned IPs inside the Jailed context.

5 comments:

Anonymous said...

Hi Due ,

Thanks for the script .
I am going to use this script on my CentOS Box .Can i follow the same procedure to use this script ?

What needs to change for the CentOS ?

I installed the fail2ban through source file .really works great

Thanks in advance for your reply

Thanks
K~

Anonymous said...

should not be a problem....:)

Anonymous said...

Tested and working like charm ..Thanks for the script

Thanks
K~

SelvaRaj said...

Hi dude ,

I think i need your help

previously it was working fine . after changing your things ( unban script ) looks like below
Kindly help me

MY OS - CentOS5.5
Asterisk -1.4

[root@AST-COMM-02 ~]# /etc/init.d/fail2ban start
-bash: /etc/init.d/fail2ban: No such file or directory
[root@AST-COMM-02 ~]# cd /etc/init.d/asterisk
anaconda-ks.cfg .bashrc .esd_auth .gnome2_private/ install.log.syslog .subversion/
.asterisk_history .cshrc .gconf/ .gstreamer-0.10/ .metacity/ .tcshrc
.bash_history Desktop/ .gconfd/ .gtkrc-1.2-gnome2 .nautilus/ .Trash/
.bash_logout .dmrc .gnome/ .ICEauthority .redhat/
.bash_profile .eggcups/ .gnome2/ install.log .ssh/
[root@AST-COMM-02 ~]# cd /etc/init.d/asterisk

[root@AST-COMM-02 ~]# fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: asterisk-iptables
[root@AST-COMM-02 ~]#
[root@AST-COMM-02 ~]#
[root@AST-COMM-02 ~]#
[root@AST-COMM-02 ~]# iptables -L -v
Chain INPUT (policy ACCEPT 786K packets, 224M bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 842K packets, 232M bytes)
pkts bytes target prot opt in out source destination
[root@AST-COMM-02 ~]#fail2ban-client -V
Fail2Ban v0.8.4

Copyright (c) 2004-2008 Cyril Jaquier
Copyright of modifications held by their respective authors.
Licensed under the GNU General Public License v2 (GPL).

Written by Cyril Jaquier .
Many contributions by Yaroslav O. Halchenko .
[root@AST-COMM-02 ~]#
[root@AST-COMM-02 ~]#
[root@AST-COMM-02 ~]#
[root@AST-COMM-02 ~]# uname -a
Linux AST-COMM-02.localdomain 2.6.18-194.32.1.el5 #1 SMP Wed Jan 5 17:53:09 EST 2011 i686 i686 i386 GNU/Linux
[root@AST-COMM-02 ~]# uname -o
GNU/Linux
[root@AST-COMM-02 ~]#
[root@AST-COMM-02 ~]#
[root@AST-COMM-02 ~]#

Thanks
SelvaRaj

SelvaRaj said...

Log information for you

[root@AST-COMM-02 ~]#tail -f /var/log/fail2ban.log
2011-01-18 15:49:44,579 fail2ban.jail : INFO Creating new jail 'asterisk-iptables'
2011-01-18 15:49:44,580 fail2ban.jail : INFO Jail 'asterisk-iptables' uses poller
2011-01-18 15:49:44,627 fail2ban.filter : INFO Added logfile = /var/log/asterisk/full
2011-01-18 15:49:44,628 fail2ban.filter : INFO Set maxRetry = 3
2011-01-18 15:49:44,636 fail2ban.filter : INFO Set findtime = 600
2011-01-18 15:49:44,637 fail2ban.actions: INFO Set banTime = 259200
2011-01-18 15:49:44,687 fail2ban.jail : INFO Jail 'asterisk-iptables' started
2011-01-18 15:49:44,694 fail2ban.actions.action: ERROR iptables -N fail2ban-ASTERISK
iptables -A fail2ban-ASTERISK -j RETURN
iptables -I INPUT -p all -j fail2ban-ASTERISK returned 7f00



--Thanks in advance
SelvaRaj