jacktraf
commented
8 years ago I agree, this would be an nice feature. What's an easy way to implement this on our own?
Closed Boldairdev closed 3 years ago
jacktraf
commented
8 years ago I agree, this would be an nice feature. What's an easy way to implement this on our own?
stonfute
commented
8 years ago A such feature will be awesome !
unixfox
commented
8 years ago :+1:
stamparm
commented
8 years ago This feature will be implemented at some point, BUT...
1) Where to do the autobanning? At server (?) which in regular setups should just be a passive component processing the events (e.g. got by sensor sniffing the traffic at remote locations or by local sensors sniffing the TAPed traffic). 2) How to decide what to autoban? Threshold? Only attackers?
stonfute
commented
8 years ago You can use iptables to drop packets on the server !
I don't think auto-ban is a really good idea ... because you have to deal with differents thresholds depending on type of alerts ! But a simple button would be great !
If you don't want to choose one firewall (such as iptables or nftables) you could implement a custom user command passing the ip to block as a parameter.
That function would be perfect for my gateway !
unixfox
commented
8 years ago @stonfute :+1: I opened an issue in relation to your request : #44.
Boldairdev
commented
8 years ago as for me my preferences would go both ways :
this would be pretty much similar to what fail2ban does but going beyond it (much more attack types recognized in maltrail, and not having to define all those jails) and with the UI that's already here that would be a perfect tool :)
krull
commented
8 years ago :+1: Suggestion: A mailtrail.conf command entry would suffice to add iptables rules via any of the major iptables helper programs such as csf, apf, shorewall or just plain iptables.
Something like:
USE_CSF true CSF_COMMAND csf -d $FLAGED_IP
my two centavos :+1: keep up the great work!
unixfox
commented
8 years ago Great idea :+1: !
stamparm
commented
8 years ago @all auto generating feed of today's "known attackers"/"bad reputation" IPs that appeared more than N times in a short time-period (e.g. more than once in a 1 second period). This should be pretty "safe" to implement (and block)
<maltrail_server_ip>:8338/bad.txt would enlist all those "bad" IPs line-break separated, like in case of https://www.badips.com/get/list/any/2?age=7d
Then, you can do the automatic banning from any point outside by just doing the curl in some time periods, e.g.:
for i in $(curl https://www.badips.com/get/list/any/2?age=7d); do echo $i; done 2>/dev/null
does this sound good?
krull
commented
8 years ago Hi all. This looks great. We can then have csf or any other iptables script daemon monitor said file for changes to include in the ruleset
Sent from Samsung Mobile
-------- Original message -------- From: Miroslav Stampar notifications@github.com Date:26/01/2016 18:01 (GMT+02:00) To: stamparm/maltrail maltrail@noreply.github.com Cc: Brendan Jocson krull.mcroth@gmail.com Subject: Re: [maltrail] Feature Request : autobans/manual bans (#30)
@all auto generating feed of today's "known attackers"/"bad reputation" IPs that appeared more than N times in a short time-period (e.g. more than once in a 1 second period). This should be pretty "safe" to implement (and block)
Babzsak
commented
8 years ago https://github.com/trick77/ipset-blacklist how about including this one?
stamparm
commented
8 years ago @Babzsak you mean lists from there? Majority of those are already being used in maltrail
kutus
commented
8 years ago I do it like this:
for IP in $(cat /var/log/maltrail/2016-03-29.log | grep [host] | grep -v heuristic | awk '{print $10}' | awk '!($0 in a) {a[$0];print}'); do if [$(grep -ic $IP /etc/hosts.deny) -eq 0]; then echo ALL: $IP >> /etc/hosts.deny; fi; done
Is easy to modify for iptables rules.
pierrehegr
commented
8 years ago I did it with fail2ban by creating filter.d/maltrail.conf with this failregex:
failregex = .* UDP IP <HOST>
It does work quite well
mpochron
commented
8 years ago @pierrehegr what u wrote here - it's not enough.
I wrote definition and configuration for fail2ban, also it's working with VestaCP, take look at my gist: https://gist.github.com/machei/4d95c3c955fefbe26e6df65f7d3ae353
If u like my gist then give me star !
MikhailKasimov
commented
4 years ago 
podivilov
commented
3 years ago Does maltrail support csf autobans?
stamparm
commented
3 years ago Does maltrail support csf autobans?
@podivilov you have the means to apply recognized malicious IPs to whatever mechanism you require (even csf). please, take a look into https://github.com/stamparm/maltrail/issues/9313#issuecomment-650130432. by similar principle you can propagate the "blacklist" to whatever "autoban" system you use
podivilov
commented
3 years ago Sounds good. Thank you! Mikhail Podivilov
I love the software well done, easy to use, but so far it's a passive tool. Adding a button that would launch : iptables -I INPUT -s xxx.xxx.xxx.xxx -j DROP (xxx beeing the offender IP) on each offender line. Could even add it as an autobanning feature, with maybe a treshold like fail2ban, That would certainly make my day :) (could even make it an option to autoban the known mass scanners at first start)
(I'm not forgiving, my jail2ban jails ban the 1st time a week, in case of recidive a year, but fail2ban is not that easy to configure, especially for new jails, this, with banning features, could really be a better solution)