ciscoios-acl – A Fail2ban Module for Managing Cisco IOS ACLs

I’ve been using fail2ban to protect a number of services from external attacks. The software works well, but what I wanted to do is to have fail2ban update an ACL on a Cisco IOS router rather then the IPtables on the host itself. Here’s the code and some tips on setting it up.

Contents

The Code

Fail2ban requires just 2 files to implement a new method to block attacks. Here’s the files:

/etc/fail2ban/action.d/ciscoios-acl.py

The Python code to perform the router changes uses Netmiko – an excellent Python library to manage network devices.

Note that the address of the router is in here, and so it the username, password, and enable password. You will need to set these to whatever your router is configured with. Because this code contains the username and password, make sure that it is readable only by the root user.

/etc/fail2ban/action.d/ciscoios-acl.conf

You can see here that I’m calling the Python code to perform the banning & un-banning. I’m also calling logger to create an entry in the system’s syslog.

Configuring and Testing

You need to first log into the router and pre-create the access control list ( ACL ), and bind it to an interface. I’m using an ACL in coordination with the zone-based policy rules, so my router configuration looks a bit like this:

Note that I’m blocking all access into the router for banned IP addresses – not just access to the service that triggered a ban. I’m figuring that if anyone attacks a single service then they should probably get blocked from accessing anything. Of course, you can customise this to meet your specific needs.

Instead of using the zone-based firewall, you could just as easily bind the access list to the external interface – but note that the python code is going to add entries as permit <Banned IP address> so you might need to reverse the logic of that in the code if you’re doing interface ACLs.

Once setup, you can test the code by running:
/etc/fail2ban/action.d/ciscoios-acl.py ban <test IP address>
and then checking that the driver adds the banned IP address to the ACL. Also test that the un-banning action works too.

Once tested, you can add the action into your fail2ban local rules in /etc/fail2ban/jail.local – an example for a simple server running mostly Email services is below:

/etc/fail2ban/jail.local

Note that I’m excluding loopback and RFC1918 addresses just to be safe from misuse and to protect my own access.

Permanent link to this article: https://crypt.gen.nz/2017/09/20/ciscoios-acl-a-fail2ban-module-for-managing-cisco-ios-acls/

1 comments

    • Mark on March 14, 2019 at 8:39 pm

    Hello Kerry,

    Are you sending syslog to the server where and fail2ban is hosted? I don’t see the log file you are matching in jail.local

    like :
    [asterisk-iptables]

    enabled = true
    filter = asterisk
    action = iptables-allports[name=ASTERISK, protocol=all]
    sendmail-whois[name=ASTERISK, dest=$EMAIL, sender=fail2ban@rai-stm-voip-02]
    logpath = /var/log/asterisk/messages
    maxretry = 40
    bantime = 86400

Comments have been disabled.