3

I would like to add ".googlebot.com" to the ignore iplist for fail2ban since the ignoreip explanation mentions DNS host as an accepted input. Is this a proper format?

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
giorgio79
  • 1,747
  • 9
  • 25
  • 36
  • I asked the trick on the fail2ban google page. Do a "+1" if you'd like this improvement too : https://plus.google.com/115599110697208412401/posts/ePh669f2xmr – fred727 Sep 11 '16 at 16:32

3 Answers3

2

From looking at the Python script that uses the "ignoreip" value trying to do a wildcard match on a name like that will not work, it needs to be an IP/network or be a name that resolves to an IP.

If the 'googlebot.com' string is in the log perhaps using "ignoreregex" instead will do the job? Command and usage is listed here: http://www.fail2ban.org/wiki/index.php/Commands#JAIL_CONFIGURATION

shthead
  • 365
  • 1
  • 4
1

My log file has only IP numbers (no domain names), so ignoreregex didn't work for me.

I'll post here what I did, in the case it is useful for someone trying to do something similar. This was done on Ubuntu 18.04, with Fail2Ban v0.10.2.

  1. Create a script that takes an IP number, do a reverse DNS lookup, and check if the hostname is in the allowed domain name. Put that script in /etc/fail2ban/filter.d/ignorecommands. I named that script ignorehost.
#!/usr/bin/env fail2ban-python
# Inspired by apache-fakegooglebot script
#
# Written in Python to reuse built-in Python batteries and not depend on
# presence of host and cut commands
#
import sys
import re
from fail2ban.server.ipdns import DNSUtils, IPAddr

ALLOWED_HOSTS = [
        ".phlapa.fios.verizon.net",
        ".nwrknj.fios.verizon.net",
        ".hsd1.de.comcast.net",
        ".hsd1.pa.comcast.net"]

def process_args(argv):
    if len(argv) != 2:
       raise ValueError("Please provide a single IP as an argument. Got: %s\n"
                        % (argv[1:]))
    ip = argv[1]

    if not IPAddr(ip).isValid:
       raise ValueError("Argument must be a single valid IP. Got: %s\n"
                        % ip)
    print("Ip received!")

    return ip

def is_allowed_host(ip):
    host = DNSUtils.ipToName(ip)
    if not host:
        return False
    else:
        m = re.match('.\S+(-\d+)(?P<domain>\.\S+)', host)
        domain = m.group('domain')
        if domain in ALLOWED_HOSTS:
           return True
        else:
           return False

if __name__ == '__main__': # pragma: no cover
    try:
      ret = is_allowed_host(process_args(sys.argv))
    except ValueError as e:
      sys.stderr.write(str(e))
      sys.exit(2)
    sys.exit(0 if ret else 1)
  1. Add this line to the desired jail(s), in /etc/fail2ban/jail.local:

ignorecommand = %(ignorecommands_dir)s/ignorehost <ip>

In my case, I put that line in the ssh and sshd jails:

[sshd]

ignorecommand = %(ignorecommands_dir)s/ignorehost <ip>

[ssh]

ignorecommand = %(ignorecommands_dir)s/ignorehost <ip>
  1. Reload fail2ban

systemctl reload fail2ban.service

Carlos H. Mendoza-Cardenas
  • 121
  • 3
  • This is a good solution, except it can be spoofed without verifying host to IP having that same IP among A/AAAA records. – Ajay Singh Jul 30 '21 at 04:01
0

Better solution is to add ignoreregex line in your filter config file:

ignoreregex = ^<HOST> -.*"GET.*HTTP.*Googlebot/2\.1.*"$

It will ignore Googlebot. Be sure to check access.log instead of error.log if you're using Apache.

Feriman
  • 132
  • 7