xaf / fail2ban-subnets Goto Github PK

Is this project still maintained and working?

First, I needed to copy the action and filter to the existing directories and not create new *.local ones. Otherwise fail2ban would complain

2021-12-14 12:28:55,125 fail2ban.configreader   [187754]: ERROR   Found no accessible config files for 'filter.d/subnets' under /etc/fail2ban
2021-12-14 12:28:55,126 fail2ban.jailreader     [187754]: ERROR   Unable to read the filter 'subnets'
2021-12-14 12:28:55,126 fail2ban.jailsreader    [187754]: ERROR   Errors in jail 'subnets'. Skipping...
OK

But fail2ban-subnets.py still throws this error

Traceback (most recent call last):
  File "/usr/local/bin/fail2ban-subnets.py", line 250, in <module>
    banList = dict(re.findall(
  File "/usr/lib/python3.8/re.py", line 241, in findall
    return _compile(pattern, flags).findall(string)
TypeError: cannot use a string pattern on a bytes-like object

in addition to README.md:
Run fail2ban-subnets
chown root:adm /var/log/fail2ban-subnets.log

This looks like a very valuable script. I have installed it according to the recommendations, but now hourly receive this message:

/etc/cron.hourly/fail2ban-subnets.py:
iptables: No chain/target/match by that name.

Hi,
I saw that subnets are not optimized because the IP ranges are in 24 subnets.

Example:

Chain fail2ban-subnets (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 89.204.155.128/25 0.0.0.0/0
0 0 DROP all -- * * 195.154.182.0/24 0.0.0.0/0
0 0 DROP all -- * * 89.204.154.0/24 0.0.0.0/0
0 0 DROP all -- * * 195.154.183.0/24 0.0.0.0/0
33 24007 DROP all -- * * 89.204.153.0/24 0.0.0.0/0
571K 122M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

I expected to have 16 subnets for 89.204 and 195.154 but that is not a case.
Any idea how to force 16 subnets?

When starting or restarting the jail from fail2ban-client it fails with NOK Jail not found. In the fail2ban log get I "...fail2ban.transmitter [21094]: WARNING Command ['start', 'subnets'] has failed. Received UnknownJailException('subnets',)". But perhaps my jails are not configured correctly.

It starts fine if I stop and start the fail2ban server process.

Also I have updated iptables.subnet.conf for the latest version of fail2ban, so supports and parameters. It's attached as a txt file below.

Great little addition by the way.
Cheers
Tim Jackson
iptables-subnet.conf.txt

It would appear that fail2ban-subnets.py requires python 3, because it uses the bytes type in the isinstance check (line 201). This type is not available in python 2.x. Is there a patch that would make this work in 2.x (specifically 2.4.x) without using the bytes type in that line?

Would it be possible to add actions for firewalld/nftables?

Xbuntu 16.04, fail2ban v9, installed fail2ban-subnets as directed. when run against the fail2ban.log file there are zero hits, yet I have over 200 hits with my sshd filter. When i do a trace on /etc/cron.hourly/fail2ban-subnets, i get 39837 iterations reading the fail2ban.log.1 file at "for l in fh:" in the ### LOGIC section but only 1 iteration at "# Filter then sort the offenders by order or higher offense". there are 337 confirmed bans in this file

I'm using fail2ban 0.8.13 and the failregex in the python script wasn't matching entries in my fail2ban.log. I edited the failregex as follows and it seems to be working now.

failregex = ('%(time)s fail2ban\.actions\[\d+\]:(?: [A-Z]+)? ' + '\[(?!%(donotmatchjail)s\])(?P<JAIL>.*)\] ' + 'Ban (?P<HOST>(?:[0-9]{1,3}\.){3}[0-9]{1,3})$')