Home / server / Questions / 561088
Accepted
giorgio79
Asked: 2013-12-13 20:34:18 +0800 CST

fail2ban ignoreip DNS host example?

  • 772

I would like to add ".googlebot.com" to the ignore iplist for fail2ban since the ignoreip explanation mentions DNS host as an accepted input. Is this a proper format?

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
fail2ban

3 Answers

  1. Best Answer

    From looking at the Python script that uses the "ignoreip" value trying to do a wildcard match on a name like that will not work, it needs to be an IP/network or be a name that resolves to an IP.

    If the 'googlebot.com' string is in the log perhaps using "ignoreregex" instead will do the job? Command and usage is listed here: http://www.fail2ban.org/wiki/index.php/Commands#JAIL_CONFIGURATION

    • 2

  2. My log file has only IP numbers (no domain names), so ignoreregex didn't work for me.

    I'll post here what I did, in the case it is useful for someone trying to do something similar. This was done on Ubuntu 18.04, with Fail2Ban v0.10.2.

    1. Create a script that takes an IP number, do a reverse DNS lookup, and check if the hostname is in the allowed domain name. Put that script in /etc/fail2ban/filter.d/ignorecommands. I named that script ignorehost.
    #!/usr/bin/env fail2ban-python
# Inspired by apache-fakegooglebot script
#
# Written in Python to reuse built-in Python batteries and not depend on
# presence of host and cut commands
#
import sys
import re
from fail2ban.server.ipdns import DNSUtils, IPAddr

ALLOWED_HOSTS = [
        ".phlapa.fios.verizon.net",
        ".nwrknj.fios.verizon.net",
        ".hsd1.de.comcast.net",
        ".hsd1.pa.comcast.net"]

def process_args(argv):
    if len(argv) != 2:
       raise ValueError("Please provide a single IP as an argument. Got: %s\n"
                        % (argv[1:]))
    ip = argv[1]

    if not IPAddr(ip).isValid:
       raise ValueError("Argument must be a single valid IP. Got: %s\n"
                        % ip)
    print("Ip received!")

    return ip

def is_allowed_host(ip):
    host = DNSUtils.ipToName(ip)
    if not host:
        return False
    else:
        m = re.match('.\S+(-\d+)(?P<domain>\.\S+)', host)
        domain = m.group('domain')
        if domain in ALLOWED_HOSTS:
           return True
        else:
           return False

if __name__ == '__main__': # pragma: no cover
    try:
      ret = is_allowed_host(process_args(sys.argv))
    except ValueError as e:
      sys.stderr.write(str(e))
      sys.exit(2)
    sys.exit(0 if ret else 1)
    1. Add this line to the desired jail(s), in /etc/fail2ban/jail.local:

    ignorecommand = %(ignorecommands_dir)s/ignorehost <ip>

    In my case, I put that line in the ssh and sshd jails:

    [sshd]

ignorecommand = %(ignorecommands_dir)s/ignorehost <ip>

[ssh]

ignorecommand = %(ignorecommands_dir)s/ignorehost <ip>
    1. Reload fail2ban

    systemctl reload fail2ban.service

    • 1

  3. Better solution is to add ignoreregex line in your filter config file:

    ignoreregex = ^<HOST> -.*"GET.*HTTP.*Googlebot/2\.1.*"$

    It will ignore Googlebot. Be sure to check access.log instead of error.log if you're using Apache.

    • 0