3.9 KiB
Fail2Ban + Krawl Integration
Overview
This guide explains how to integrate fail2ban with Krawl to automatically block detected malicious IPs at the firewall level using iptables. Fail2ban monitors Krawl's malicious IP export and applies real-time IP bans.
Architecture
Krawl detects malicious IPs
↓
Writes to malicious_ips.txt
↓
Fail2ban monitors the file
↓
Filter matches IPs using regex
↓
Iptables firewall blocks the IP
↓
Auto-unban after bantime expires
Prerequisites
- Linux system with iptables
- Fail2ban installed:
sudo apt-get install fail2ban - Krawl running and generating malicious IPs
- Root/sudo access
Installation & Setup
1. Create the Filter Configuration krawl-filter.conf
Create /etc/fail2ban/filter.d/krawl-filter.conf:
[Definition]
failregex = ^<HOST>$
Explanation: The filter matches any line that contains only an IP address (<HOST> is fail2ban's placeholder for IP addresses). In this case, we use one IP per row as a result of the Krawl detection engine for attackers.
2. Create the Jail Configuration krawl-jail.conf
2.1 Krawl is on the same host
Create /etc/fail2ban/jail.d/krawl-jail.conf and replace the logpath with the path to the krawl malicious_ips.txt:
[krawl]
enabled = true
filter = krawl
logpath = /path/to/malicious_ips.txt
backend = auto
maxretry = 1
findtime = 1
bantime = 2592000
action = iptables-allports[name=krawl-ban, port=all, protocol=all]
2.2 Krawl is on a different host
If Krawl is deployed on another instance, you can use the Krawl API to get malicious IPs via a curl command scheduled with cron.
curl http://your-krawl-instance/dashboard-path/api/get_banlist?fwtype=raw -o malicious_ips.txt
Cron Setup
Edit your crontab to refresh the malicious IPs list:
sudo crontab -e
Add this single cron job to fetch malicious IPs every hour:
0 * * * * curl http://your-krawl-instance/dashboard-path/api/get_banlist?fwtype=raw -o /tmp/malicious_ips.txt
Replace the krawl-jail.conf logpath with /tmp/malicious_ips.txt.
3. Reload Fail2Ban
sudo systemctl restart fail2ban
Verify the jail is active:
sudo fail2ban-client status krawl
How It Works
When an IP is Added to malicious_ips.txt
- Fail2ban detects the new line in the log file (via inotify)
- Filter regex matches the IP address pattern
- maxretry check: Since maxretry=1, ban immediately
- Action triggered:
iptables-allportsadds a firewall block rule - IP is blocked on all ports and protocols
When the 30-Day Rotation Occurs
Your malicious IPs file is rotated every 30 days. With bantime = 2592000 (30 days):
If you used bantime = -1 (permanent), old IPs would remain banned forever even after removal from the file. This option is not recommended because external IPs can rotate and are unlikely to be static.
Monitoring
Check Currently Banned IPs
sudo fail2ban-client status krawl
View Fail2Ban Logs
sudo tail -f /var/log/fail2ban.log | grep krawl
Management Commands
Manually Ban an IP
sudo fail2ban-client set krawl banip 192.168.1.100
Manually Unban an IP
sudo fail2ban-client set krawl unbanip 192.168.1.100
Clear All Bans in Krawl Jail
sudo fail2ban-client set krawl unbanall
Restart the Krawl Jail Only
sudo fail2ban-client restart krawl