Fail2ban in NethServer

I probably followed the wrong howto. :smile:
I need to find more time to work on fail2ban.

Fail2ban is a mandatory…this should be a contrib.

A huge enhancement about fail2ban is to store blocked ip in a database because at the startup , iptables/fail2ban clears the fail2ban’s/its list.

It may also become “core”, but I’m at a point where I can’t make it work.
Do you know alternatives?
If you have it working, I can help making it a contrib.

there’s an how to here:

did you open a NFR here and there? :slight_smile:

We had another similar discussion here:

This is already done in the rebel side :smile:

you missed to define the “rebel” side :smile:

The contribs cannot be copied and pasted since the logs are customs in sme server

This post gave me a laugh because it reminded of when everyone lost their minds and jumped all over my shit about using csf.

I missed the train, now with the version 0.9, a sqlite database is used to store IP of the ban’s list…out of the box

1 Like

Indeed, the modularity of Nethserver will complicate the problem, the template must take care if the service is running, or the log file exists at least, and follow also the db properties of service for the non standard port case.

By the way with the version 0.9.3, the jail.conf is completely different of what I know

Interesting :stuck_out_tongue:

I started to work on fail2ban as a module for NethServer, for the moment It is just a note and search work, but I’m facing some issues and some technical choices.

a) Fail2ban email

Fail2ban sends emails (can be enabled or not) but root cannot be a user credential in roundcube/sogo and the ‘admin’ user has no password set by default…

who will be receive the fail2ban email by default ?

at the end the user destination will be a choice by a db command.

b) Firewall choice

Fail2ban can work with one of two firewall, shorewall which is available by default only for NS6.7 and Iptables. I tested both and they are workable, except for one Issue I will detail after the problem.

Of course shorewall is available by default only for NS6.7, so what about for the dude who don’t want to upgrade his system, I cannot force an upgrade for him.

As the firewall side, is really not my knowledge competency field, please shout if I say wrong.

c)block the attackers

Shorewall doesn’t let you the choice (at least by default in fail2ban), the attacker is blocked on all ports, shorewall closes all ports after exceeded the number of attempts (see /etc/fail2ban/action.d/shorewall.conf).
It is workable, but if someone plays with your server behind a gateway, the gateway will be blocked.

do I’m wrong ?

Iptables has more settings

iptables(block one port), iptables-multiport (block several ports), iptables-allports (block all port)

All are workable but my Issue is that every settings do the same thing and the firewall close all ports for the attacker. The jail tested for now is ssh.

# iptables -L |grep -i web
REJECT     all  --  web.lan              anywhere            reject-with icmp-port-unreachable 

@Nas @zamboni can you share with us the blocked lines in you firewall please ?


fail2ban-client status sshd

and search by the IP or the dns name or by

iptables -L |grep 'reject-with icmp-port-unreachable'

If you have hints, please share it


Hi Steph…

I’m sorry but since I never use the standard ssh port, my ssh jail will never be triggered :slight_smile:

I think a good default could be not to send email at all. The fail2ban configuration page will permit to add an email address (a db prop will be ok for the first release).
I would support only 6.7 ( i.e. shorewall only). That means about 90% of all systems.
Regarding the block of all ports, I think that if you have only one service on a system it’s not relevant. If you have multiple services we need to discover how often false alarms gets triggered.
Then we can take a decision.
If you have some code to share (even a jail.conf) I will help with tests (and code if possible).

for now I’m testing some workable cases, and I implemented several jails

# ll /etc/fail2ban/jail.d/
total 48
-rw-r--r--. 1 root root  26 Nov 28 10:32 dovecot.local
-rw-r--r--. 1 root root 509 Nov 28 08:19 httpd.local
-rw-r--r--. 1 root root 202 Nov 29 04:14 jail.local
-rw-r--r--. 1 root root  61 Nov 28 17:11 mysql-auth.local
-rw-r--r--. 1 root root  45 Nov 29 04:08 pam-generic.local
-rw-r--r--. 1 root root  26 Nov 28 10:29 postfix.local
-rw-r--r--. 1 root root  28 Nov 28 10:34 recidive.local
-rw-r--r--. 1 root root  74 Nov 28 10:16 roundcubemail.local
-rw-r--r--. 1 root root  24 Nov 28 10:32 sieve.local
-rw-r--r--. 1 root root  28 Nov 28 10:10 sogo.local
-rw-r--r--. 1 root root  81 Nov 28 17:41 sshd.local
-rw-r--r--. 1 root root  88 Nov 28 10:25 vsftpd.local

I believe that my issues came from the pam-generic jail which has an action iptables-allports…most of time I have just enabled the jail (enabled = true) but I wonder that I need to provide a full configuration jail in each local file. Indeed the rpm can be updated by the fail2ban team with other configurations that could drive to bugs.

I planned also to provide a jail for nginx, I suppose that you use the 443 and 80 ports ?


For make Fail2ban Works you need to adjust Shorewall config files

Can you share with us what you did in the configuration files…for now I would prefer to use iptables because the action configuration is more powerful (close all ports, one port, several ports).
I recall that the default action of shorewall can only close all ports when an IP is blacklisted.

So little steps for NS version 6.6:

  1. copy jail.conf to jail.local


    enabled = true
    filter = sshd
    action = shorewall[name=SSH, port=ssh, protocol=tcp]
    sendmail-whois[name=SSH,,, sendername=“Fail2Ban”]
    logpath = /var/log/secure
    maxretry = 3


    enabled = true
    filter = sshd-ddos
    action = shorewall[name=SSHDDOS, port=ssh, protocol=tcp]
    logpath = /var/log/secure
    maxretry = 2

  2. Edit Shorewall



a) Edit permanent
cp /etc/e-smith/templates/etc/shorewall/shorewall.conf /etc/e-smith/templates-custom/etc/shorewall/shorewall.conf
edit 60options

  1. Edit /etc/fail2ban/action.d/shorewall.conf

    actionban = shorewall
    actionunban = shorewall allow
    blocktype = drop

  2. to show blocked

    shorewall show dynamic


does it is not a problem if you block all services to an IP ?
In case of a gateway with several users behind it might be too much ?

just thoughts to share IMHO, i’m still developing the module