Fail2ban in NethServer

I was looking for the fail2ban package repositories, but not this.

Can be installed from the repositories CentOS 6.x?

I installed fail2ban from the epel repo, but I never succeeded in starting it.
I never used it, but I didnā€™t like that it canā€™t auto-detect what services the system is using.

If you have a working fail2ban installation, Iā€™d like to have a look at the configuration.

installed from epel 3 months ago, up and running with no issuesā€¦

which file do you need?

Iā€™m not sure about the file I need. The howto I briefly tried to follow directed me to modify /etc/fail2ban/jail.local.
But even when I deleted all references to nginx in that file I saw:

Starting fail2ban: ERROR  No file(s) found for glob /var/log/nginx/error.log
ERROR  Failed during configuration: Have not found any log file for nginx-http-auth jail

What files did you modify? I think I need them all. :smile:

wellā€¦

I have it working on NS, so no nginx (and Iā€™ll not bother with it) :smile:

just followed a ā€œfail2ban centos 6 setupā€ howto found out there with googleā€¦

created a jail.local file with my jails, thatā€™s all

I probably followed the wrong howto. :smile:
I need to find more time to work on fail2ban.

Fail2ban is a mandatoryā€¦this should be a contrib.

A huge enhancement about fail2ban is to store blocked ip in a database because at the startup , iptables/fail2ban clears the fail2banā€™s/its list.

It may also become ā€œcoreā€, but Iā€™m at a point where I canā€™t make it work.
Do you know alternatives?
If you have it working, I can help making it a contrib.

thereā€™s an how to here:
http://wiki.contribs.org/Fail2ban

did you open a NFR here and there? :slight_smile:

We had another similar discussion here:

This is already done in the rebel side :smile:

you missed to define the ā€œrebelā€ side :smile:

The contribs cannot be copied and pasted since the logs are customs in sme server

This post gave me a laugh because it reminded of when everyone lost their minds and jumped all over my shit about using csf.

I missed the train, now with the version 0.9, a sqlite database is used to store IP of the banā€™s listā€¦out of the box

1 Like

Indeed, the modularity of Nethserver will complicate the problem, the template must take care if the service is running, or the log file exists at least, and follow also the db properties of service for the non standard port case.

By the way with the version 0.9.3, the jail.conf is completely different of what I know

Interesting :stuck_out_tongue:

I started to work on fail2ban as a module for NethServer, for the moment It is just a note and search work, but Iā€™m facing some issues and some technical choices.

a) Fail2ban email

Fail2ban sends emails (can be enabled or not) but root cannot be a user credential in roundcube/sogo and the ā€˜adminā€™ user has no password set by defaultā€¦

who will be receive the fail2ban email by default ?

at the end the user destination will be a choice by a db command.

b) Firewall choice

Fail2ban can work with one of two firewall, shorewall which is available by default only for NS6.7 and Iptables. I tested both and they are workable, except for one Issue I will detail after the problem.

Of course shorewall is available by default only for NS6.7, so what about for the dude who donā€™t want to upgrade his system, I cannot force an upgrade for him.

As the firewall side, is really not my knowledge competency field, please shout if I say wrong.

c)block the attackers

Shorewall doesnā€™t let you the choice (at least by default in fail2ban), the attacker is blocked on all ports, shorewall closes all ports after exceeded the number of attempts (see /etc/fail2ban/action.d/shorewall.conf).
It is workable, but if someone plays with your server behind a gateway, the gateway will be blocked.

do Iā€™m wrong ?

Iptables has more settings

iptables(block one port), iptables-multiport (block several ports), iptables-allports (block all port)

All are workable but my Issue is that every settings do the same thing and the firewall close all ports for the attacker. The jail tested for now is ssh.

# iptables -L |grep -i web
REJECT     all  --  web.lan              anywhere            reject-with icmp-port-unreachable 

@Nas @zamboni can you share with us the blocked lines in you firewall please ?

do

fail2ban-client status sshd

and search by the IP or the dns name or by

iptables -L |grep 'reject-with icmp-port-unreachable'

If you have hints, please share it

2 Likes

Hi Stephā€¦

Iā€™m sorry but since I never use the standard ssh port, my ssh jail will never be triggered :slight_smile:

I think a good default could be not to send email at all. The fail2ban configuration page will permit to add an email address (a db prop will be ok for the first release).
I would support only 6.7 ( i.e. shorewall only). That means about 90% of all systems.
Regarding the block of all ports, I think that if you have only one service on a system itā€™s not relevant. If you have multiple services we need to discover how often false alarms gets triggered.
Then we can take a decision.
If you have some code to share (even a jail.conf) I will help with tests (and code if possible).