Fail2ban Whitelist IP Range and the server itself?

jmyrtle · November 12, 2020, 7:31pm

I just want to make sure I’m doing this right.

I’m installing fail2ban on a local Ubuntu 20.04 server that hosts some local websites I made.

I installed fail2ban because I want to protect access to my server from devices outside my company’s network. Because of this, I want to whitelist our company’s devices so that if we need to access the server, we can do so without trouble.

I created a jail.local file which looks like this at the moment:

[sshd]

enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 1
bantime = 3d
ignoreself = true
ignoreip = 127.0.0.1/8 ::1 10.0.0.0/24

So my question is: looking at the ignoreip line and the ignoreself lines, am I correct in saying that the ignoreself in this file whitelists the server itself and the ignoreip in this file will whitelist the devices within the company network (10.0.0.1-254)?

If not, how do I set this up? (For the record, the company IP in this example is not real to prevent brute force and hacking…)

DaveMaxwell · November 12, 2020, 9:47pm

The ignoreip line should be separated by spaces for each range. I don’t think the double colons is valid (or at least I’ve never seen it)

And shouldn’t the file be jail.conf, not jail.local? And shouldn’t these configurations should be in the [DEFAULT] section of the file?

ignoreip = 127.0.0.1/8 10.0.0.0/24

rpkamp · November 13, 2020, 9:44am

Why would a server SSH in to itself?

jmyrtle · November 13, 2020, 12:02pm

::1 represents the IPv6 version of the IP address.

Also, separated by spaces for each range? Does that mean I have to do this:

ignoreip = 127.0.0.1/8 10.0.0.1 10.0.0.2 10.0.0.3 10.0.0.4...

That seems very tedious and time-consuming.

Fail2ban recommends that you do not modify the jail.conf file, but rather make a new jail.local file. Whatever settings you provide in this file will override the configuration settings in the jail.conf file.

From what I’m reading online, it’s a good idea to whitelist the server IP so that fail2ban doesn’t block its own IP for whatever reason.

DaveMaxwell · November 13, 2020, 1:04pm

No. 0/24 is the range but is in CIDR format. You’ll need a tool to calculate the appropriate range values. It’s not always straight forward.

The ignoreip property still needs to be in the [DEFAULT] section. You can enable it for SSH using enabled=true in the [sshhd] section

jmyrtle · November 13, 2020, 1:14pm

The range I need to allow is 10.0.0.1 - 10.0.0.254.

Upon using this tool, I get these options:

10.0.0.1/32
10.0.0.2/31
10.0.0.4/30
10.0.0.8/29
10.0.0.16/28
10.0.0.32/27
10.0.0.64/26
10.0.0.128/26
10.0.0.192/27
10.0.0.224/28
10.0.0.240/29
10.0.0.248/30
10.0.0.252/31
10.0.0.254/32

Which one do I use? I might stick with the original /24

This is what the manual says about the two files:

"Every .conf file can be overridden with a file named .local . The .conf file is read first, then .local , with later settings overriding earlier ones. Thus, a .local file doesn’t have to include everything in the corresponding .conf file, only those settings that you wish to override.

Modifications should take place in the .local and not in the .conf . This avoids merging problem when upgrading. These files are well documented and detailed information should be available there."

Also, that link shows how to do it in Ubuntu 16.04 not 20.04 which is what I’m using.

system · February 12, 2021, 8:14pm

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.