Fail2ban in NethServer

did you open a NFR here and there? :slight_smile:

We had another similar discussion here:

This is already done in the rebel side :smile:

you missed to define the “rebel” side :smile:

The contribs cannot be copied and pasted since the logs are customs in sme server

This post gave me a laugh because it reminded of when everyone lost their minds and jumped all over my shit about using csf.

I missed the train, now with the version 0.9, a sqlite database is used to store IP of the ban’s list…out of the box

1 Like

Indeed, the modularity of Nethserver will complicate the problem, the template must take care if the service is running, or the log file exists at least, and follow also the db properties of service for the non standard port case.

By the way with the version 0.9.3, the jail.conf is completely different of what I know

Interesting :stuck_out_tongue:

I started to work on fail2ban as a module for NethServer, for the moment It is just a note and search work, but I’m facing some issues and some technical choices.

a) Fail2ban email

Fail2ban sends emails (can be enabled or not) but root cannot be a user credential in roundcube/sogo and the ‘admin’ user has no password set by default…

who will be receive the fail2ban email by default ?

at the end the user destination will be a choice by a db command.

b) Firewall choice

Fail2ban can work with one of two firewall, shorewall which is available by default only for NS6.7 and Iptables. I tested both and they are workable, except for one Issue I will detail after the problem.

Of course shorewall is available by default only for NS6.7, so what about for the dude who don’t want to upgrade his system, I cannot force an upgrade for him.

As the firewall side, is really not my knowledge competency field, please shout if I say wrong.

c)block the attackers

Shorewall doesn’t let you the choice (at least by default in fail2ban), the attacker is blocked on all ports, shorewall closes all ports after exceeded the number of attempts (see /etc/fail2ban/action.d/shorewall.conf).
It is workable, but if someone plays with your server behind a gateway, the gateway will be blocked.

do I’m wrong ?

Iptables has more settings

iptables(block one port), iptables-multiport (block several ports), iptables-allports (block all port)

All are workable but my Issue is that every settings do the same thing and the firewall close all ports for the attacker. The jail tested for now is ssh.

# iptables -L |grep -i web
REJECT     all  --  web.lan              anywhere            reject-with icmp-port-unreachable 

@Nas @zamboni can you share with us the blocked lines in you firewall please ?

do

fail2ban-client status sshd

and search by the IP or the dns name or by

iptables -L |grep 'reject-with icmp-port-unreachable'

If you have hints, please share it

2 Likes

Hi Steph…

I’m sorry but since I never use the standard ssh port, my ssh jail will never be triggered :slight_smile:

I think a good default could be not to send email at all. The fail2ban configuration page will permit to add an email address (a db prop will be ok for the first release).
I would support only 6.7 ( i.e. shorewall only). That means about 90% of all systems.
Regarding the block of all ports, I think that if you have only one service on a system it’s not relevant. If you have multiple services we need to discover how often false alarms gets triggered.
Then we can take a decision.
If you have some code to share (even a jail.conf) I will help with tests (and code if possible).

for now I’m testing some workable cases, and I implemented several jails

# ll /etc/fail2ban/jail.d/
total 48
-rw-r--r--. 1 root root  26 Nov 28 10:32 dovecot.local
-rw-r--r--. 1 root root 509 Nov 28 08:19 httpd.local
-rw-r--r--. 1 root root 202 Nov 29 04:14 jail.local
-rw-r--r--. 1 root root  61 Nov 28 17:11 mysql-auth.local
-rw-r--r--. 1 root root  45 Nov 29 04:08 pam-generic.local
-rw-r--r--. 1 root root  26 Nov 28 10:29 postfix.local
-rw-r--r--. 1 root root  28 Nov 28 10:34 recidive.local
-rw-r--r--. 1 root root  74 Nov 28 10:16 roundcubemail.local
-rw-r--r--. 1 root root  24 Nov 28 10:32 sieve.local
-rw-r--r--. 1 root root  28 Nov 28 10:10 sogo.local
-rw-r--r--. 1 root root  81 Nov 28 17:41 sshd.local
-rw-r--r--. 1 root root  88 Nov 28 10:25 vsftpd.local

I believe that my issues came from the pam-generic jail which has an action iptables-allports…most of time I have just enabled the jail (enabled = true) but I wonder that I need to provide a full configuration jail in each local file. Indeed the rpm can be updated by the fail2ban team with other configurations that could drive to bugs.

I planned also to provide a jail for nginx, I suppose that you use the 443 and 80 ports ?

Dears,

For make Fail2ban Works you need to adjust Shorewall config files

Can you share with us what you did in the configuration files…for now I would prefer to use iptables because the action configuration is more powerful (close all ports, one port, several ports).
I recall that the default action of shorewall can only close all ports when an IP is blacklisted.

So little steps for NS version 6.6:

  1. copy jail.conf to jail.local

    [ssh-shorewall]

    enabled = true
    filter = sshd
    action = shorewall[name=SSH, port=ssh, protocol=tcp]
    sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com, sendername=“Fail2Ban”]
    logpath = /var/log/secure
    maxretry = 3

    [ssh-ddos]

    enabled = true
    filter = sshd-ddos
    action = shorewall[name=SSHDDOS, port=ssh, protocol=tcp]
    logpath = /var/log/secure
    maxretry = 2

  2. Edit Shorewall

/etc/shorewall/shorewall.conf

BLACKLIST="ALL"

a) Edit permanent
cp /etc/e-smith/templates/etc/shorewall/shorewall.conf /etc/e-smith/templates-custom/etc/shorewall/shorewall.conf
edit 60options

  BLACKLIST="ALL"
  1. Edit /etc/fail2ban/action.d/shorewall.conf

    actionban = shorewall
    actionunban = shorewall allow
    blocktype = drop

  2. to show blocked

    shorewall show dynamic

2 Likes

does it is not a problem if you block all services to an IP ?
In case of a gateway with several users behind it might be too much ?

just thoughts to share IMHO, i’m still developing the module

I don’t have experience with fail2ban, but looking at a lot of logs on many servers I’d say “no”.
Let’s start with this working config, we will tune it later.

I plan to let the choice of the action (what to do when an ip is found in your log) by a db command, after that we can test what is the best choice

default will be iptable-multiports (close relevant port) , but can be changed in shorewall and iptable-allports( close all ports)

fail2ban it is a utility only for scanning logs and ban double or tripple attempts. it is not a firewall or somth else

Agreed except it triggers an action to the firewall and it blocks the relevant service port tested by the IP