Installing Fail2Ban on EdgeRouter to control iptables


The EdgeRouter doesn’t support any IP blacklisting natively, but it does allow the installation of Debian packages.

By installing & configuring the fail2ban package on the EdgeRouter, the iptables firewall is automatically adjusted to ban IP addresses found to be breaking website policies.

IPs addresses can also be manually added to ban lists.

Step 1: Install Fail2Ban
Configure Debian repositories on EdgeRouter:

set system package repository jessie components ‘main contrib non-free’
set system package repository jessie distribution jessie
set system package repository jessie url ‘http://archive.debian.org/debian’
Update the package information and install Fail2Ban:

sudo apt-get update
sudo apt-get install fail2ban
Note: Do not ever use “apt-get update” on an EdgeRouter.

Configure Fail2Ban
Add the following files using sudo vi:

/etc/fail2ban/filter.d/openvpn.local
# Fail2Ban filter for selected OpenVPN rejections
#
#
[INCLUDES]

# Read common prefixes. If any customizations available — read them from
# common.local
before = common.conf

[Definition]

# Example messages (other matched messages not seen in the testing server’s logs):
# Fri Sep 23 11:55:36 2016 TLS Error: incoming packet authentication failed from [AF_INET]59.90.146.160:51223
# Thu Aug 25 09:36:02 2016 117.207.115.143:58922 TLS Error: TLS handshake failed

failregex = ^%(__prefix_line)sTLS Error: incoming packet authentication failed from \[AF_INET\]<HOST>:\d+$
^%(__prefix_line)s<HOST>:\d+ Connection reset, restarting
^%(__prefix_line)s<HOST>:\d+ TLS Auth Error
^%(__prefix_line)s<HOST>:\d+ TLS Error: TLS handshake failed$
^%(__prefix_line)s<HOST>:\d+ VERIFY ERROR

ignoreregex =
/etc/fail2ban/jail.local
# Fail2Ban configuration fragment for OpenVPN

[openvpn]
enabled = true
port = 1194
protocol = udp
filter = openvpn
logpath = /var/log/messages
maxretry = 3
Restart Fail2Ban and Observe Log
sudo service fail2ban restart
sudo cat /var/log/fail2ban.log
You should see that the openvpn jail was started. Since I’m under attack currently, I also see messages such as:

2018-09-09 23:18:13,481 fail2ban.actions[27638]: WARNING [openvpn] Ban 186.202.10.75
2018-09-09 23:18:15,749 fail2ban.actions[26453]: INFO [openvpn] 186.202.10.75 already banned
Update
I’ve posted a follow-up article on how to make this persist through firmware upgrades.

Resources Used
I was able to pull this together with just some slight modification and compilation of materials that are already available:

https://help.ubnt.com/hc/en-us/articles/205202560-EdgeRouter-Add-Debian-Packages-to-EdgeOS
https://www.fail2ban.org/wiki/index.php/HOWTO_fail2ban_with_OpenVPN
https://docs.python.org/2/library/re.html