Calculate whitelist subnet [fail2ban]

LayLow · October 16, 2018, 2:19pm

NethServer Version: 7.5 (oct 18)
Module: fail2ban

Reaching out, for my knowledge with calcultaing IP stuff is ‘zilch’.

I am looking for what to fill out to whitelist my mobile provider’s subnet. Every time I use hotspot on my cell phone I get assigned a different IP, so I want the whole providers net being whitelisted.

TIA

Hi,

The IP 84.241.205.229 has just been banned by Fail2Ban after
3 attempts against openvpn.

Here is more information about 84.241.205.229 :

[Querying whois.ripe.net]
[whois.ripe.net]
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
% To receive output for a database update, use the “-B” flag.

% Information related to ‘84.241.200.0 - 84.241.207.255’

% Abuse contact for ‘84.241.200.0 - 84.241.207.255’ is ‘lir@t-mobile.nl’

inetnum: 84.241.200.0 - 84.241.207.255
netname: TMONL-NET
descr: Pool for mobile users
country: NL
admin-c: AT13974-RIPE
tech-c: AT13974-RIPE
status: ASSIGNED PA
mnt-by: mnt-tmonl
created: 2005-08-16T08:29:46Z
last-modified: 2018-06-28T13:03:31Z
source: RIPE

role: Access & transport
address: Waldorpstraat 60
admin-c: RB21461-RIPE
tech-c: RD7864-RIPE
nic-hdl: AT13974-RIPE
mnt-by: MNT-TMONL
created: 2017-03-28T08:40:14Z
last-modified: 2017-03-31T13:36:43Z
source: RIPE # Filtered

% Information related to ‘84.241.192.0/19AS31615’

route: 84.241.192.0/19
descr: T-mobile Netherlands
origin: AS31615
mnt-by: MNT-TMONL
created: 2011-08-10T13:11:33Z
last-modified: 2011-08-10T13:21:11Z
source: RIPE

% This query was served by the RIPE Database Query Service version 1.92.6 (HEREFORD)

Regards,

Fail2Ban

LayLow · October 16, 2018, 2:48pm

I found this site:

http://www.subnet-calculator.com/

hmm, I tried 84.241.200.0/24 in the fail2ban config but get:

AllowedIP
“84.241.200.0/24” is not an IP

Is it me, is it fail2ban or is it Nethserver?

mrmarkuz · October 16, 2018, 6:41pm

Only IPs are accepted in web UI.

You may edit /etc/fail2ban/jail.conf and edit the ignoreip option to ignoreip = 127.0.0.1/8 84.241.200.0/24 and do a signal-event nethserver-fail2ban-update

https://www.fail2ban.org/wiki/index.php/Whitelist

A better solution would be to create a custom template because jail.conf may be templated in future, but let’s check, if it works for you first.

stephdl · October 16, 2018, 9:28pm

Jail.conf could change with a fail2ban upgrade and jail.local wins with its priority so the change must go to jail.local.

Markus is right a custom template is the way…maybe also you could also look the template because I put a lot of eastern eggs

stephdl · October 16, 2018, 9:34pm

Not on this case… Probably I woried about a network that could cover the whole ipv4 subnet

stephdl · October 17, 2018, 6:18am

The custom template to create is for this one

github.com

stephdl/nethserver-fail2ban/blob/master/root/etc/e-smith/templates/etc/fail2ban/jail.local/05GlobalSettings

[DEFAULT]
ignoreip = {$localAccess}
bantime  = {($fail2ban{BanTime} || '1800');}
findtime  = {($fail2ban{FindTime} || '900');}
maxretry = {($fail2ban{MaxRetry} || '3');}
usedns = yes

banaction = {($fail2ban{BanAction} || 'shorewall');}

sender = admin@{$DomainName}
{
    use Email::Valid;
    my @customemail;
    foreach my $email (split(/,/, ($fail2ban{CustomDestemail} || ''))) {
    push @customemail , $email if (Email::Valid->address($email));
    #sort email array
    %seen = ();
    @customemail = sort (grep { ! $seen{ $_ }++ } (@customemail));
    }

This file has been truncated. show original

LayLow · October 17, 2018, 7:45am

I created the custom template, expanded and restarted (thanks @stephdl)

It did not work for me for my mobile provider keeps changing IP’s on me and I lack the skills on subnets. Entering a specific IP in the fail2ban config web UI works.

stephdl · October 17, 2018, 10:12am

This is a network allowing IP between 82.241.200.1 to 82.241.200.254

You could try /16 but you allow about 65000 IP

84.241.0.0/16

84.241.0.1 - 84.241.255.254

stephdl · October 17, 2018, 10:23am

84.241.200.1 - 84.241.207.254 is 84.241.200.0/21

But its too much ip…it is like a big hole in the firewall

flatspin · October 17, 2018, 10:58am

Please don’t get me wrong, but I don’t get why you want to whitelist more then 2000 IP’s only because you failed with login to your own VPN. I’m using mobile devices with changing IPs on openvpn and there is no problem.
Maybe to increase the number of allowed attemps to 5 or 6 would be the better idea. If there is a real attack, 5 attemps are done in some parts of a second, not really a big loose of security, but you have still 2 or 3 more to try your credentials.

just my 2 ct

stephdl · October 17, 2018, 11:59am

Yep I know laylow since a long time, a skilled sysadmin, and I would be curious why you want to go in that direction :-?

do you think we miss a feature in fail2ban ?

LayLow · October 18, 2018, 11:28am

@flatspin @stephdl @mrmarkuz,

thanks for the thoughts and suggestions. The fail2ban log was only to get the whois report on the subnet, not a real attempt.

I guess what I miss is the possibility to enter subnets or range of subnets in the fail2ban GUI, and the possibility to ignore IP’s and subnets for specific services.

In my case I was testing stuff on Nethserver including making forced mistakes, and wanted to exclude my mobile providers subnets to prevent fail2ban to lock me out. Since this Nethserver is a Contabo VPS I was forced to open a VNC session and unban the offending IP.

But again, not my specialty, sort of a blind spot to me

Thanks

stephdl · October 30, 2018, 5:27pm

I forgot it, but when you want to allow a whole subnet in fail2ban, go to the trusted network menu and add your network as fully trusted, a lot of other applications use it already

LayLow · October 31, 2018, 11:12am

Works, many thanks.