So new version of manual for NS version 6.7:
-
install fail2ban
-
Edit custom config
mkdir -p /etc/e-smith/templates-custom/etc/shorewall/shorewall.conf
cp -p /etc/e-smith/templates/etc/shorewall/shorewall.conf/60options /etc/e-smith/templates-custom/etc/shorewall/shorewall.conf/60options
vim /etc/e-smith/templates-custom/etc/shorewall/shorewall.conf/60optionsBLACKLIST=“ALL”
-
Edit jail.local for futher updates
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
vim /etc/fail2ban/jail.local
usedns = no
banaction = shorewall
#
# JAILS
#
[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
maxretry = 2
4)Edit /etc/fail2ban/action.d/shorewall.conf
blocktype = drop
-
As for finding out who is blocked run :
shorewall show dynamic
-
For testing filters for other services run :
fail2ban-regex /var/log/messages /etc/fail2ban/filter.d/sshd-ddos.conf
Running tests
Use failregex filter file : sshd-ddos, basedir: /etc/fail2banUse log file : /var/log/messages
Use encoding : UTF-8Results
Failregex: 27 total|- #) [# of hits] regular expression
| 1) [27] ^\s*(<[^.]+.[^.]+>)?\s*(?:\S+ )?(?:kernel: [ \d+.\d+] )?(?:@vserver_\S+ )?(?:(?:[\d+])?:\s+[[(]?sshd(?:(\S+))?[])]?:?|[[(]?sshd(?:(\S+))?[])]?:?(?:[\d+])?:?)?\s(?:[ID \d+ \S+])?\sDid not receive identification string from \s*$
`-
Ignoreregex: 0 totalLines: 39917 lines, 0 ignored, 27 matched, 39890 missed [processed in 8.54 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 39890 lines -
For verbose output please use :
fail2ban-regex -v /var/log/messages /etc/fail2ban/filter.d/sshd-ddos.conf