Merge pull request #38 from Honeybrain/feature/countryBlocking

✨ Update fail2ban for geoIP support

config/fail2ban/action.d/geohostsdeny.conf

@@ -0,0 +1,59 @@
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart = 
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop = 
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck = 
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights. 
+#          Excludes PH|Philippines from banning.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionban = IP=<ip> &&
+            geoiplookup $IP | egrep "<country_list>" || 
+            (printf %%b "<daemon_list>: $IP\n" >> <file>)
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionunban = IP=<ip> && sed -i.old /ALL:\ $IP/d <file>
+
+[Init]
+
+# Option:  country_list
+# Notes.:  List of banned countries separated by pipe "|"
+# Values:  STR  Default:  
+#
+country_list = PH
+
+# Option:  file
+# Notes.:  hosts.deny file path.
+# Values:  STR  Default:  /etc/hosts.deny
+#
+file = /etc/hosts.deny
+
+# Option:  daemon_list
+# Notes:   The list of services that this action will deny. See the man page
+#          for hosts.deny/hosts_access. Default is all services.
+# Values:  STR  Default: ALL
+daemon_list = ALL
+

config/fail2ban/jail.d/jail.local

@@ -19,6 +19,9 @@ findtime = 600
 # How many attempts can be made before a ban is imposed
 maxretry = 3
 
+# Define the banaction globally if you want all jails to use the geohostsdeny action
+banaction = geohostsdeny
+
 [iptables-honeypot]
 enabled = true
 port = all

docker/compose/docker-compose.yml

@@ -89,6 +89,7 @@ services:
       - "../../logs/suricata/fast.log:/app/honeypot/fast.log"
       - "../../config/suricata/suricata.rules:/app/honeypot/suricata.rules"
       - "../../config/fail2ban/filter.d/nginx-honeypot.conf:/app/honeypot/nginx-honeypot.conf"
+      - "../../config/fail2ban/action.d/geohostsdeny.conf:/app/honeypot/geohostsdeny.conf"
       - "../../config/nginx/block.conf:/app/honeypot/block.conf"
       - "/var/run/docker.sock:/var/run/docker.sock"
     healthcheck:

docker/dockerfile/fail2ban/Dockerfile

@@ -2,4 +2,5 @@ FROM crazymax/fail2ban:latest
 
 USER root
 
-RUN apk add --no-cache docker-cli
+RUN apk add --no-cache docker-cli
+RUN apk add --no-cache geoip

protos/blacklist.proto

@@ -4,6 +4,7 @@ package blacklist;
 
 service Blacklist {
   rpc PutBlackList (PutBlackListRequest) returns (PutBlackListReply) {}
+  rpc BlockCountry (BlockCountryRequest) returns (BlockCountryReply) {}
   rpc GetBlackList (GetBlackListRequest) returns (stream GetBlackListReply) {}
   rpc PutWhiteList (PutWhiteListRequest) returns (PutWhiteListReply) {}
 }
@@ -15,6 +16,13 @@ message PutBlackListRequest {
 message PutBlackListReply {
 }
 
+message BlockCountryRequest {
+  string countryCode = 1;
+}
+
+message BlockCountryReply {
+}
+
 message GetBlackListRequest {}
 
 message GetBlackListReply {

scripts/check_setup.sh

@@ -72,4 +72,4 @@ if ! python3 -c "import jinja2" &> /dev/null; then
     echo "❌ Error: jinja2 is not installed for python3. Please install 'jinja2' pip3 package."
     exit 1
 fi
-echo "✅ jinja2 is installed."
+echo "✅ jinja2 is installed."