Thanks for the reply. Another quick question: Is fail2ban planned in the future?
With Crowdsec as a business partner I don’t see fail2ban interesting for the dev team.
And I would like to say that’s a bad idea.
What exposed here
still stands
Edit: the bold part is inaccurate and it’s not true.
More on that here.
https://community.nethserver.org/t/nethsec8-ddclient/23415/6?u=pike
1 Like
I don’t know.
NethSecurity has few services running so maybe something more lean could be enough.
For now we are testing the banip built-in feature that scans the log and blocks the attacks.
This is not still exposed on the UI, because we need to test it thoroughly.
If you want you can enable it manually:
uci set banip.global.ban_logreadfile='/var/log/messages'
uci set banip.global.ban_logcount='3'
uci set banip.global.ban_autodetect='1'
uci commit banip
/etc/init.d/banip restart
You could test also a filter for OpenVPN with user/pass authentication:
uci add_list banip.global.ban_logterm='TLS Auth Error: Auth Username/Password verification failed for peer'
uci commit banip
/etc/init.d/banip restart
As Michael said, we are also experimenting with Crowdsec that connects a NS8 to a NethSecurity.
This is totally new to me: what business partnership are you talking about?
That’s what I understood, that there was acting some business relationship as that were (still is?) with Collini Consulting for the content filtering.
Your words make me feel that these words
are inaccurate and do no represent the current status.
I edited the previous post for allowing the audience to not be mislead by my words.
3 Likes
Indeed we have a collaboration with Collini Consulting which is providing its own cloud DNS filter, available only with an extra fee (I really do not know the commercial details about it).
Is banip already planned to come soon to the UI
And any information abour Crowdsec to be inplemented?
Thanks !!
There is already a UI for managing the blocklists, but the ui for fail2ban-like feature is not still planned.
We are just experimenting. If you want, you can use OpenWrt packages to try it: [OpenWrt Wiki] CrowdSec
1 Like
Thanks. Since i’m using it as a live system, i’m not so happy the experiment 
So for BanIP it is already in the UI and i don not to install or setup it as described as above?
Yes, but not the fail2ban-feature: Threat shield — NethSecurity documentation
Is there or will there be a feature the unblock a blocked IP in the UI ?
Because if you block an IP and you don’t see it or can unblock it this will be an issue some day
Is this already standard implemented now ?
uci set banip.global.ban_logreadfile='/var/log/messages'
uci set banip.global.ban_logcount='3'
uci set banip.global.ban_autodetect='1'
uci commit banip
/etc/init.d/banip restart
I guess so 
Yes, you can follow upstream doc.
1 Like
Sorry Giacomo…
Just to be sure that i undertand it correctly
This is not yet standard working in RC2 and needs to be done manually?
If for “standard” you mean there’s a UI for it, yes, it’s not standard.
But since we use OpenWrt packages, you can follow package instructions to configure it manually.
Ok. Thanks !
I meant with standard that this is already functional:
uci set banip.global.ban_logreadfile='/var/log/messages'
uci set banip.global.ban_logcount='3'
uci set banip.global.ban_autodetect='1'
I’m a newby with openwrt and Neth applications i apologize for the many questions
1 Like
How can i see this is implemented?
I’ve added the commands, but when i check my log i see no “TLS Auth Error: …” at all.
I’m using the Nethsecurity OpenVPN module.
It looks like intruders are trying to connect to the VP, but no errors in the log besides this
May 29 20:15:22 NethSec8 openvpn(ns_roadwarrior1)[6082]: MANAGEMENT: Client connected from /var/run/openvpn_ns_roadwarrior1.socket
May 29 20:15:22 NethSec8 openvpn(ns_roadwarrior1)[6082]: MANAGEMENT: CMD 'status 3'
May 29 20:15:22 NethSec8 openvpn(ns_roadwarrior1)[6082]: MANAGEMENT: Client disconnected
May 29 20:15:48 NethSec8 openvpn(ns_roadwarrior1)[6082]: MANAGEMENT: Client connected from /var/run/openvpn_ns_roadwarrior1.socket
May 29 20:15:48 NethSec8 openvpn(ns_roadwarrior1)[6082]: MANAGEMENT: CMD 'status 3'
May 29 20:15:48 NethSec8 openvpn(ns_roadwarrior1)[6082]: MANAGEMENT: Client disconnected
May 29 20:16:16 NethSec8 openvpn(ns_roadwarrior1)[6082]: MANAGEMENT: Client connected from /var/run/openvpn_ns_roadwarrior1.socket
May 29 20:16:16 NethSec8 openvpn(ns_roadwarrior1)[6082]: MANAGEMENT: CMD 'status 3'
May 29 20:16:16 NethSec8 openvpn(ns_roadwarrior1)[6082]: MANAGEMENT: Client disconnected
May 29 20:16:42 NethSec8 openvpn(ns_roadwarrior1)[6082]: MANAGEMENT: Client connected from /var/run/openvpn_ns_roadwarrior1.socket
May 29 20:16:42 NethSec8 openvpn(ns_roadwarrior1)[6082]: MANAGEMENT: CMD 'status 3'
May 29 20:16:42 NethSec8 openvpn(ns_roadwarrior1)[6082]: MANAGEMENT: Client disconnected
May 29 20:18:01 NethSec8 openvpn(ns_roadwarrior1)[6082]: MANAGEMENT: Client connected from /var/run/openvpn_ns_roadwarrior1.socket
May 29 20:18:01 NethSec8 openvpn(ns_roadwarrior1)[6082]: MANAGEMENT: CMD 'status 3'
May 29 20:18:01 NethSec8 openvpn(ns_roadwarrior1)[6082]: MANAGEMENT: Client disconnected
May 29 20:19:01 NethSec8 openvpn(ns_roadwarrior1)[6082]: MANAGEMENT: Client connected from /var/run/openvpn_ns_roadwarrior1.socket
May 29 20:19:01 NethSec8 openvpn(ns_roadwarrior1)[6082]: MANAGEMENT: CMD 'status 3'
May 29 20:19:01 NethSec8 openvpn(ns_roadwarrior1)[6082]: MANAGEMENT: Client disconnected
May 29 20:20:02 NethSec8 openvpn(ns_roadwarrior1)[6082]: MANAGEMENT: Client connected from /var/run/openvpn_ns_roadwarrior1.socket
May 29 20:20:02 NethSec8 openvpn(ns_roadwarrior1)[6082]: MANAGEMENT: CMD 'status 3'
May 29 20:20:02 NethSec8 openvpn(ns_roadwarrior1)[6082]: MANAGEMENT: Client disconnected
Additional question.
If i correct the settings are stored in /overlay/upper/etc/config/banip
config banip 'global'
option ban_enabled '1'
option ban_debug '0'
option ban_autodetect '1'
list ban_logterm 'Exit before auth from'
list ban_logterm 'luci: failed login'
list ban_logterm 'error: maximum authentication attempts exceeded'
list ban_logterm 'sshd.*Connection closed by.*\[preauth\]'
list ban_logterm 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress='
list ban_logterm 'received a suspicious remote IP '\''.*'\'''
list ban_logterm 'TLS Auth Error: Auth Username/Password verification failed for peer'
option ban_fetchcmd 'curl'
option ban_protov4 '1'
list ban_allowurl 'https://dc391ab3-e1d7-4bc4-aca6-56382fd45603:b32ef679ccadd5da0fb5e1b7ec75a7e1ce97a694a0eaedf5bb155cf50f0d9231@bl.nethesis.it/plain/nethesis-blacklists/whitelist.global'
option ban_logreadfile '/var/log/messages'
option ban_logcount '3'
option ban_nftexpiry '1d'
option ban_nftloglevel 'info'
option ban_protov6 '1'
list ban_feed 'edrop'
list ban_feed 'dshield'
list ban_feed 'drop'
list ban_feed 'debl'
list ban_feed 'darklist'
list ban_feed 'threatview'
list ban_feed 'iblockspy'
list ban_feed 'ipthreat'
list ban_feed 'greensnow'
list ban_feed 'urlvir'
list ban_feed 'cinsscore'
list ban_feed 'bruteforceblock'
list ban_feed 'binarydefense'
list ban_feed 'backscatterer'
list ban_feed 'feodo'
list ban_feed 'uceprotect1'
list ban_feed 'webclient'
list ban_feed 'firehol2'
list ban_feed 'myip'
list ban_feed 'bogon'
list ban_feed 'ipblackhole'
list ban_feed 'country'
list ban_feed 'asn'
list ban_ifv4 'wan'
list ban_ifv6 'wan'
list ban_trigger 'wan'
list ban_dev 'eth1'
When i change something in the UI Threath list (enable or disable a name in the blocklist)
option ban_autodetect '1'
is change to
option ban_autodetect '0'
Is this a bug ?
It’s already there, you do not need to do anything.
So nobody is trying to access your server 
These logs are totally unrelated: it’s the UI that’s accessing the openvpn socket to inspect the status of connected clients. It’s verbose, but harmless!
I doubt it. Normally i saw a few times per week in the fail2ban that an IP was banned.
Maybe the Nethsecurity firewall or OpenVPN setup scared the bad people away 
I get the feeling the BanIP is not logging or not working properly. No single IP is blocked in weeks. Doesn’t feel good somehow
If you had any failed authentication, you wold see it in the log, despite that banip is doing is job or not.
You can also use these regex:
failregex = ^ (.*) TLS Error: incoming packet authentication failed from \[AF_INET\]<HOST>:\d+$
^ (.*) <HOST>:\d+ Connection reset, restarting
^ (.*) <HOST>:\d+ TLS Auth Error
^ (.*) <HOST>:\d+ TLS Error: TLS handshake failed$
^ (.*) <HOST>:\d+ VERIFY ERROR
^ (.*) <HOST>:\d+ TLS Error: TLS key negotiation failed to occur within 60 seconds.*$
failregex =%(__prefix_line)s<HOST>:[0-9]{4,5} TLS Auth Error:.*
%(__prefix_line)s<HOST>:[0-9]{4,5} VERIFY ERROR:.*
%(__prefix_line)s<HOST>:[0-9]{4,5} TLS Error: TLS handshake failed.*
%(__prefix_line)sTLS Error: cannot locate HMAC in incoming packet from \[AF_INET\]<HOST>:[0-9]{4,5}
By the way, just check for similar errors inside your logs: they should be all access attempt.
How can i add them. (sorry… i’m a newbui with NS)
When i check the logs i don’t see any line with “error”