Would it be possible to extend fail2ban to consume these lists of malicious IP addresses to help protect hestiacp installations? there are other threat feeds out there as well.
The way I have setup the Threat feed system:
CEF messages extract the data needed for the list’s, Each IP has a rolling 30-day expiry (feeds are self-pruning, dynamic, only banning IPs with sustained or repeated malicious behaviour.)
we could create a script to download the lists, parse the IP addresses and ingest the IP addresses into fail2ban on a cron that pulls and processes them every 6 hours or so.
I am trying to think of ways to up the defence of my webserver etc.
Any other ideas on how to help protect hestiacp installations? what extra things are you doing?
Instead of using Fail2Ban, I think those IP lists are better suited for use with ipsets, allowing you to add firewall rules that drop connections based on those ipsets.
Hestia provides a script that adds malicious IPs from different sources to an ipset so you can use it on your firewall rules. You can take a look at it here: /usr/local/hestia/install/common/firewall/ipset/blacklist.sh
Thanks guys, will have a look at it, its an active list so will probably have to run it on a cron so it updates 2 to 5 times a day as the lists update every 30 mins with new threats
Those lists auto update once daily, so will not help by running cron for that. However, if you want to have hosts blockers, I can give some ready recommendations which I use effectively.
Is is possible to unblock ip’s from the firewall after say 30 days as IP addresses change that attackers use in general regularly?
my idea was to use fail2ban and have that auto unban after 30 days.
The way them lists work is that they are updated every 30 mins with CEF log messages are pulled from the syslogs of the IDS/IPS system when an attack, recon etc is identified.
To keep the dataset up to days each IP address has a rolling 30 day validity, if an offence for a IP address is committed within that time then the 30 day timer is reset and the 30 days commences again.