HoHo ... No
Shown in Report
Eve Snowshoes is standing next to a Terminal.
Objective Image
Back
Challenge
Jack is trying to break into Santa's workshop!

Santa's elves are working 24/7 to manually look through logs, identify the
malicious IP addresses, and block them. We need your help to automate this so
the elves can get back to making presents!

Can you configure Fail2Ban to detect and block the bad IPs?
 * You must monitor for new log entries in /var/log/hohono.log
 * If an IP generates 10 or more failure messages within an hour then it must
   be added to the naughty list by running naughtylist add <ip>
        /root/naughtylist add 12.34.56.78
 * You can also remove an IP with naughtylist del <ip>
        /root/naughtylist del 12.34.56.78
 * You can check which IPs are currently on the naughty list by running
        /root/naughtylist list

You'll be rewarded if you correctly identify all the malicious IPs with a
Fail2Ban filter in /etc/fail2ban/filter.d, an action to ban and unban in
/etc/fail2ban/action.d, and a custom jail in /etc/fail2ban/jail.d. Don't
add any nice IPs to the naughty list!

*** IMPORTANT NOTE! ***
Fail2Ban won't rescan any logs it has already seen. That means it won't
automatically process the log file each time you make changes to the Fail2Ban
config. When needed, run /root/naughtylist refresh to re-sample the log file
and tell Fail2Ban to reprocess it.
Solution

The fail2ban filter can be implemented like this (there are 4 types of error messages which can occur in the log file):

root@01550c223905:/etc/fail2ban# cat filter.d/naughtylist.conf 
[Definition]
failregex = ^.* Failed login from <HOST> for .*$
            ^.* Invalid heartbeat .* from <HOST>.*$
            ^.* Login from <HOST> rejected due to unknown user name.*$
            ^.* <HOST> sent a malformed request.*$

Let’s test if these are matching:

root@01550c223905:/etc/fail2ban# fail2ban-regex /var/log/hohono.log /etc/fail2ban/filter.d/naughtylist.conf 

Running tests
=============
Use   failregex filter file : naughtylist, basedir: /etc/fail2ban
Use         log file : /var/log/hohono.log
Use         encoding : UTF-8


Results
=======
Failregex: 3711 total
|-  #) [# of hits] regular expression
|   1) [969] ^.* Failed login from <HOST> for .*$
|   2) [856] ^.* Invalid heartbeat .* from <HOST>.*$
|   3) [928] ^.* Login from <HOST> rejected due to unknown user name.*$
|   4) [958] ^.* <HOST> sent a malformed request.*$
`-

We also need some actions to ban/unban IPs:

root@6f94ebf60fe4:/etc/fail2ban# cat action.d/naughtylist.conf 
[Definition]
actionban = /root/naughtylist add <ip>
actionunban = /root/naughtylist del <ip>

And of course a proper jail:

root@6f94ebf60fe4:/etc/fail2ban# cat jail.d/naughtylist.conf 
[naughtylist]
enabled  = true
filter = naughtylist
logpath = /var/log/hohono.log

banaction = naughtylist

maxretry = 10
findtime = 3600
bantime = -1

Let’s refresh the config and reload the entries to see if they are triggering fail2ban:

root@618198b70f67:/etc/fail2ban/jail.d# Log file refreshed! It may take fail2ban a few moments to re-process.
192.149.76.183 has been added to the naughty list!
..
201.10.224.72 has been added to the naughty list!
You correctly identifed 19 IPs out of 19 bad IPs
You incorrectly added 0 benign IPs to the naughty list

*******************************************************************
* You stopped the attacking systems! You saved our systems!
*
* Thank you for all of your help. You are a talented defender!
*******************************************************************