A Linux kernel module firewall and userspace log parser and auto-banner for blocking web bots.
Instead of reading log files from the filesystem, this uses pipes (fifo) so Nginx and OpenSSH can send their logs directly into the application.
Write an IPv4 address to /proc/fail1ban and it will be banned.
Any application can do this, including from the shell.
Any message not starting numerically will clear all bans.
echo -n 10.10.10.10 > /proc/fail1ban #bans ip
echo clear > /proc/fail1ban #clears all bans
Reading from /proc/fail1ban will list all currently banned IPs.
cat /proc/fail1ban
Linux can run multiple firewalls simultaneously, so you don't need to disable IPtables / etc.
Accepts logs directly from OpenSSH and Nginx via two named pipes (fifo), /run/fail1ban-nginx and /run/fail1ban-ssh
OpenSSH:
One failure bans immediately.
These rules are minimized for brevity. You may need to adjust them for your version of OpenSSH.
Nginx:
By default, there are 4 rules:
HTTP status codes 400 and 444 ban immediately.
301 and 404 issue two (silent) warnings before banning on the third attempt. Only the most recent 16 warnings are remembered.
These rules are very simple, and easy for you to add your own custom tailored to your web logs.
Nginx can handle named pipes natively, configured the same as normal files.
You can have multiple access_log directives to get multiple log files.
/etc/nginx/nginx.conf
log_format f1b '~$status $remote_addr#$host';
access_log /run/fail1ban-nginx f1b buffer=512 flush=50ms;
OpenSSH logs to rsyslogd, and rsyslogd can handle pipes natively. Just add the pipe/bar symbol | before the fifo's filename.
/etc/rsyslog.conf
auth,authpriv.* |/run/fail1ban-ssh
Set whitelist IP macros for server and admin client in config.h to prevent lockout.
make will build the kernel module and the log parser (make mod + make log). make cf for Cloudflare version.
Install the kernel module with modprobe ./fail1ban_mod.ko
Run the parser daemon ./fail1ban_log before restarting nginx and rsyslog.
Once the named pipes have been created the first time, you can stop and restart the log daemon without restarting nginx and rsyslog. They will automatically start sending logs again.
The Cloudflare log parser works with a mixture of domains both on and off of Cloudflare.
Requirements
SSL relay.
Cloudflare list. Block the list in the WAF.
Setup
Make a local config.h copy config.local.h so it doesn't get overwritten.
Set config.local.h macros for:
Your SSL relay hostname, Whitelist your own IP address (just in case), Cloudflare account ID, list ID, account email, api key.\
Rewrite lines 107 and 118 to uniquely identify domain names that use Cloudflare.
Nginx SSL relay:
server {
merge_slashes off;
set_real_ip_from 0.0.0.0/0;
real_ip_header X-Forwarded-For;
location ~ ^/sslrelay/(.*) {
resolver 1.0.0.1;
proxy_pass https://$http_x_forwarded_for/$1;
proxy_set_header Host $http_x_forwarded_for;
proxy_ssl_server_name on;
}
}
- IPv6
- Unban individual IP
- Generalize SSH ban triggers
- CF API request failsafe
- Allow newline IP string termination
- Abstract Cloudflare domain name ident to config.h