I was looking for the fail2ban package repositories, but not this.
Can be installed from the repositories CentOS 6.x?
I was looking for the fail2ban package repositories, but not this.
Can be installed from the repositories CentOS 6.x?
I installed fail2ban from the epel repo, but I never succeeded in starting it.
I never used it, but I didnāt like that it canāt auto-detect what services the system is using.
If you have a working fail2ban installation, Iād like to have a look at the configuration.
installed from epel 3 months ago, up and running with no issuesā¦
which file do you need?
Iām not sure about the file I need. The howto I briefly tried to follow directed me to modify /etc/fail2ban/jail.local.
But even when I deleted all references to nginx in that file I saw:
Starting fail2ban: ERROR No file(s) found for glob /var/log/nginx/error.log
ERROR Failed during configuration: Have not found any log file for nginx-http-auth jail
What files did you modify? I think I need them all.
wellā¦
I have it working on NS, so no nginx (and Iāll not bother with it)
just followed a āfail2ban centos 6 setupā howto found out there with googleā¦
created a jail.local file with my jails, thatās all
I probably followed the wrong howto.
I need to find more time to work on fail2ban.
Fail2ban is a mandatoryā¦this should be a contrib.
A huge enhancement about fail2ban is to store blocked ip in a database because at the startup , iptables/fail2ban clears the fail2banās/its list.
It may also become ācoreā, but Iām at a point where I canāt make it work.
Do you know alternatives?
If you have it working, I can help making it a contrib.
thereās an how to here:
http://wiki.contribs.org/Fail2ban
did you open a NFR here and there?
We had another similar discussion here:
This is already done in the rebel side
you missed to define the ārebelā side
The contribs cannot be copied and pasted since the logs are customs in sme server
This post gave me a laugh because it reminded of when everyone lost their minds and jumped all over my shit about using csf.
I missed the train, now with the version 0.9, a sqlite database is used to store IP of the banās listā¦out of the box
Indeed, the modularity of Nethserver will complicate the problem, the template must take care if the service is running, or the log file exists at least, and follow also the db properties of service for the non standard port case.
By the way with the version 0.9.3, the jail.conf is completely different of what I know
Interesting
I started to work on fail2ban as a module for NethServer, for the moment It is just a note and search work, but Iām facing some issues and some technical choices.
a) Fail2ban email
Fail2ban sends emails (can be enabled or not) but root cannot be a user credential in roundcube/sogo and the āadminā user has no password set by defaultā¦
who will be receive the fail2ban email by default ?
at the end the user destination will be a choice by a db command.
b) Firewall choice
Fail2ban can work with one of two firewall, shorewall which is available by default only for NS6.7 and Iptables. I tested both and they are workable, except for one Issue I will detail after the problem.
Of course shorewall is available by default only for NS6.7, so what about for the dude who donāt want to upgrade his system, I cannot force an upgrade for him.
As the firewall side, is really not my knowledge competency field, please shout if I say wrong.
c)block the attackers
Shorewall doesnāt let you the choice (at least by default in fail2ban), the attacker is blocked on all ports, shorewall closes all ports after exceeded the number of attempts (see /etc/fail2ban/action.d/shorewall.conf).
It is workable, but if someone plays with your server behind a gateway, the gateway will be blocked.
do Iām wrong ?
Iptables has more settings
iptables(block one port), iptables-multiport (block several ports), iptables-allports (block all port)
All are workable but my Issue is that every settings do the same thing and the firewall close all ports for the attacker. The jail tested for now is ssh.
# iptables -L |grep -i web
REJECT all -- web.lan anywhere reject-with icmp-port-unreachable
@Nas @zamboni can you share with us the blocked lines in you firewall please ?
do
fail2ban-client status sshd
and search by the IP or the dns name or by
iptables -L |grep 'reject-with icmp-port-unreachable'
If you have hints, please share it
Hi Stephā¦
Iām sorry but since I never use the standard ssh port, my ssh jail will never be triggered
I think a good default could be not to send email at all. The fail2ban configuration page will permit to add an email address (a db prop will be ok for the first release).
I would support only 6.7 ( i.e. shorewall only). That means about 90% of all systems.
Regarding the block of all ports, I think that if you have only one service on a system itās not relevant. If you have multiple services we need to discover how often false alarms gets triggered.
Then we can take a decision.
If you have some code to share (even a jail.conf) I will help with tests (and code if possible).