Distinction between LAN and VPN in fail2ban

Support
,
1

I would like to have an option to only allow bans from VPN but not from LAN in Fail2ban… Hence only people who are in the same LAN cannot be banned…
This is because I want to secure my server also in the case someone unauthorized gets a valid certificate for the VPN… (I know that this probably sounds very paranoid… :wink: ).

Do anyone have a idea how to implement this?
Of course, I could simply adjust the template’s file by hand… but I wonder whether it would be possible to add such an option to the fail2ban module in the nethserver gui… @stephdl?

Of course, VPN is already protected by Fail2ban (Openvpn jail for fail2ban) very well, but in case of a stolen certificate there would be no protection at all anymore…

2

not tested…but what about if

you ban on the local network
you allow the network in the text box

check after the /etc/fail2ban/jail.local if your network is allowed.

As a side note, if you are paranoid, then

  • keys have a short period of life
  • vpn is used by key AND password/login
  • password must be changed periodically
1 Like
3

Thank you!!! :wink: This worked of course! :wink:
I was stupid…!
And yes, I have already keys with short life time and certificate + login/password authentication…! To get the life time of the keys short wasn’t so easy (at the end I decided to do it by hand with the centos openssl system - also because I wanted larger keys…)… perhaps that would be another feature?

4

What is the size of your keys ?

Could you check my previous post as a good answer

5

I couldn’t mark your answer as solution since I had posted my question in the feature category… now I have changed the category and marked your answer as solution…

My keys (including the certificate authority!) are either 4096 bit long or created by elliptic curve cryptography (using the secp521r1 curve)… I don’t know whether it would be possible to implement an key size option in nethserver. . I tried several things but it didn’t work… in particular, the key of the certificate authority (which is 2048 bits) was extremely difficult to change… it appears to be in some template (when I changed it manually (in /etc/pki/tls without renaming it), it suddenly restores itself (probably when using a signal-event command…).
And when I renamed the manually generated key, I wasn’t able to sign certificates automatically with the right new key (I changed, of course, the paths to the key in all files that obviously have something to do with this signment… probably I oversaw one…).
hence, I don’t know how complicated such an option would be to implement and whether someone is interested in it…!?