0

What is the best way to add IP to Fail2Bans blocklist for normal user, (non root) but without giving full acces to fail2ban-client for that normal user.

To run for example this command for normal user:

fail2ban-client set apache-badbots addignoreip 193.81.151.209
Thomas Krcal
  • 1
  • 1
  • Hmm, tough one. I'm not a linux expert but perhaps you could grant the user access to a folder. Then create a script they can run passing the ip address to ban. The script creates a file via touch command in that folder. For example touch /etc/ban-folder/1.2.3.4 and you can create a cron job to read filenames as root and block ip addresses. It sounds complicated when I say it out loud, but it's a work around I guess. – Admiral Noisy Bottom Apr 28 '20 at 02:04
  • I was asking for 'the best way'. Not any strange ideas that I would have myself. – Thomas Krcal Apr 28 '20 at 07:53
  • I will be interested in any answers you get. My understanding is that root and sudoers are the only ones able to execute anything where root access is required. I hope you get a good answer because I'll learn something. – Admiral Noisy Bottom Apr 28 '20 at 08:50

1 Answers1

1

we used this scenario some time ago, it worked for us.

Credit goes to Jinn Koriech

His article contains many good points and hints: https://coderwall.com/p/haj28a/running-rootless-fail2ban-on-debian

Where possible we prefer to run services as a non-root user. fail2ban also supports this, however the run-rootless.txt docs don't fully detail all the necessary steps.

Some of the steps are explained in the /etc/default/fail2ban config script. In addition to these a few other steps are needed. Below are all the steps to get a working rootless fail2ban on debian wheezy.

Stefano
  • 425
  • 4
  • 5
  • Very interesting and new info to me. I'm going to give it a try. I use firewalld rather than iptables and will be interested in the results. I think I'll create a VM for this rather than screwing around with my production servers. Thanks :) – Admiral Noisy Bottom Apr 29 '20 at 01:23
  • Sorry, im not able to run Fail2ban as non root user. – Thomas Krcal Apr 29 '20 at 20:28