Nethserver-fail2ban needs testers

I released a first version of fail2ban, for now there is no gui, but I’m not sure that it is really needed, since it is something which works in the background

I wrote a wiki page -> http://wiki.nethserver.org/doku.php?id=module:fail2ban

Obviously this needs to be tested on real servers exposed to the Internet so look after fail2ban daily :

• you can look after the administrative emails sent to the admin or custom recipients
• you can look after the command fail2ban-listban to see the number of banned IP
• you can look after the command fail2ban-client status to see if fail2ban is running with configured jails
• you can test the activated jails (do fail2ban-client status and looks after jail name) and try to be banned by fail2ban. IP on your local network cannot be banned except if you set BanLocalNetwork to enabled

when you want to unban an IP do : fail2ban-unban

well I’m looking for your returns, and of course by ideas, new jails, etc

For example Nginx could be more protected, I have just activated the default jails, but we can find more jails on internet.

@stephdl

Thank you for your great contribution

1. First command after fresh installation:

   Complete!
   [root@nethserver ~]# config show fail2ban
   fail2ban=service
   ApacheAuth_status=true
   ApacheBadbots_status=true
   ApacheBotsearch_status=false
   ApacheFakegooglebot_status=true
   ApacheModsecurity_status=true
   ApacheNohome_status=true
   ApacheNoscript_status=true
   ApacheOverflows_status=true
   ApacheScan_status=true
   ApacheShellshock_status=true
   BanAction=shorewall
   BanLocalNetwork=disabled
   BanTime=600
   CustomDestemail=
   Dovecot_status=true
   FindTime=600
   IgnoreIP=
   LogLevel=INFO
   Mail=enabled
   MaxRetry=3
   MysqldAuth_status=true
   NginxBotSearch_status=true
   NginxHttpAuth_status=true
   PamGeneric_status=true
   PostfixRbl_status=true
   Postfix_status=true
   Recidive_status=true
   Roundcube_status=true
   Sieve_status=true
   SogoAuth_status=true
   SshdDdos_status=true
   Sshd_status=true
   Vsftpd_status=true
   status=enabled

2. Signal-events :

   [root@nethserver ~]# signal-event nethserver-fail2ban-
   nethserver-fail2ban-save nethserver-fail2ban-update

3. Fail2ban commands :

   [root@nethserver ~]# fail2ban-
   fail2ban-client fail2ban-listban fail2ban-regex fail2ban-server fail2ban-testcases fail2ban-unban

4. Fail2ban Listban :

   sshd Jail
   - Currently banned: 1 - Total banned: 1
   sshd-ddos Jail
   - Currently banned: 0 - Total banned: 0

   List of all banned IP:
   Shorewall 4.6.4.3 Chain dynamic at nethserver.itc-s.net - Sun Dec 20 16:45:17 EET 2015

   Counters reset Sun Dec 20 16:38:26 EET 2015

   Chain dynamic (10 references)
   pkts bytes target prot opt in out source destination
   73 4380 DROP all – * * 223.252.32.73 0.0.0.0/0

5 ) GREAT IT WORKS

First issue :
When I tap F5 in browser ( 5-6 times or more ) i recive ban

 apache-overflows Jail
    - Currently banned: 1     - Total banned: 1

Than i run :

fail2ban-unban my ip 

IP was unbanned from shorewall as well , but when we implement WEB-UI we should use :

fail2ban-client set apache-overflows unbanip 38.46.247.229

Becasue fail2ban client still show that this ip is banned and could mislead users.

Wow looking forward to testing it as soon as possibile, in the meantime

Normally after 600 seconds the ip is unbanned automatically by fail2ban.

You should take a look to the /etc/fail2ban/jail.local and looks after the maxretry specific values for apache

They could be increased or decreased

verified

Fun I tried but without successes, but when I read the /filter.d/apache-overflow.conf I don’t have the feeling that the jail is made to block a host which is doing a huge number of requests. You can verify what occurred in the fail2ban log

I tried with successes sogo-auth, roundcube-auth, pam-generic, vsftpd and sshd

Released since 13 days, with no much returns…this day I’m looking for your inputs…does it work, how much attackers are blocked…etc…etc…etc

For those who have not installed fail2ban, stay cool, your server is under a massive brute force attack and you did nothing

It works please implement it in production

You’re right it’s already in my loooong todolist! Hope to have it in the target quite soon.

@nas, can you share the content of : fail2ban-listban

[root@nethserver httpd]# fail2ban-listban

Look after a jail, do : fail2ban-client status {JailName}

Count the number of IP Banned
 apache-auth Jail
    - Currently banned: 0     - Total banned: 0
 apache-badbots Jail
    - Currently banned: 0     - Total banned: 0
 apache-fakegooglebot Jail
    - Currently banned: 0     - Total banned: 0
 apache-modsecurity Jail
    - Currently banned: 0     - Total banned: 0
 apache-nohome Jail
    - Currently banned: 0     - Total banned: 0
 apache-noscript Jail
    - Currently banned: 0     - Total banned: 0
 apache-overflows Jail
    - Currently banned: 0     - Total banned: 0
 apache-scan Jail
    - Currently banned: 0     - Total banned: 2
 apache-shellshock Jail
    - Currently banned: 0     - Total banned: 0
 dovecot Jail
    - Currently banned: 0     - Total banned: 0
 ejabberd-auth Jail
    - Currently banned: 0     - Total banned: 0
 mysqld-auth Jail
    - Currently banned: 0     - Total banned: 0
 pam-generic Jail
    - Currently banned: 0     - Total banned: 0
 postfix Jail
    - Currently banned: 0     - Total banned: 0
 postfix-rbl Jail
    - Currently banned: 0     - Total banned: 0
 recidive Jail
    - Currently banned: 0     - Total banned: 0
 sieve Jail
    - Currently banned: 0     - Total banned: 0
 sogo-auth Jail
    - Currently banned: 0     - Total banned: 0
 sshd Jail
    - Currently banned: 0     - Total banned: 20
 sshd-ddos Jail
    - Currently banned: 0     - Total banned: 0

I have no production server for now because I work for another company, so it was captured for 2-3 day on my testing server. not so much but it works.

2 or 3 days and you match 20 times for ssh brute force password and two times for apache scanning…good score

[root@nethserver httpd]# uptime
 17:32:02 up 2 days,  2:03,  1 user,  load average: 0.02, 0.01, 0.00

well… nowadays, having 22 tcp exposed to WAN is not smart…

the first thing to do is to change sshd listening port to something > 1024…

in 15 years I had not a single line in the logs about ssh attacks (only failed logins, but it was me )

It seems that the main purpose of fail2ban on ssh is to keep ssh port standard and minimize also failed logins, right?

maybe, but changing port will lower (almost) to zero all the problems, meaning that all script kiddies and bots won’t affect you…

obiously a portscan will reveal your real sshd port, but it’s something that can’t be done in a silent way… in this case, fail2ban is a great help
BTW, if only key access is enabled, i.e. no password auth allowed, using a not standard port will let you sleep like a baby

all IMHO

right, with a no root account accepted also, you will live at fort knox…but for other services like apache, postfix, dovecot…and much others, you cannot use non standard ports except if you are alone (or with few known people) to use the server

yeah, sure…

the main difference is that if someone break your server via http, gaining root privileges is quite difficult (using RH/Centos rpm at least), while breaking your ssh account (root anyone?) they already have them

BTW, everything that can be moved on not standard ports must be moved… the log flooding is a good way to hide many things (for attacker) and to miss the same things (for admin)

I tested fail2ban in lab, failing logins over ssh and imaps: it correctly banned me.
I will ask @giacomo to install it on www.nethserver.org to see how it behaves on the real world.

The only thing I’d like to change it’s Mail=disabled by default. Because I received about 50 email for every started/stopped jail. I know there’s a workaround, but I still hope that fail2ban improves over time and will offer an option to receive emails only for bans (and while at it, disable whois).

Great job @stephdl, thank you.