does it is not a problem if you block all services to an IP ?
In case of a gateway with several users behind it might be too much ?

just thoughts to share IMHO, i’m still developing the module

I don’t have experience with fail2ban, but looking at a lot of logs on many servers I’d say “no”.
Let’s start with this working config, we will tune it later.

I plan to let the choice of the action (what to do when an ip is found in your log) by a db command, after that we can test what is the best choice

default will be iptable-multiports (close relevant port) , but can be changed in shorewall and iptable-allports( close all ports)

fail2ban it is a utility only for scanning logs and ban double or tripple attempts. it is not a firewall or somth else

Agreed except it triggers an action to the firewall and it blocks the relevant service port tested by the IP

So new version of manual for NS version 6.7:

1. install fail2ban

2. Edit custom config

   mkdir -p /etc/e-smith/templates-custom/etc/shorewall/shorewall.conf
   cp -p /etc/e-smith/templates/etc/shorewall/shorewall.conf/60options /etc/e-smith/templates-custom/etc/shorewall/shorewall.conf/60options
   vim /etc/e-smith/templates-custom/etc/shorewall/shorewall.conf/60options

   BLACKLIST=“ALL”

3. Edit jail.local for futher updates

   cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

vim /etc/fail2ban/jail.local

usedns = no
banaction = shorewall
#
# JAILS
#

[sshd]
enabled = true
port    = ssh
logpath = %(sshd_log)s
maxretry = 2

4)Edit /etc/fail2ban/action.d/shorewall.conf

blocktype = drop

5. As for finding out who is blocked run :

   shorewall show dynamic

6. For testing filters for other services run :

   fail2ban-regex /var/log/messages /etc/fail2ban/filter.d/sshd-ddos.conf

   Running tests

    Use   failregex filter file : sshd-ddos, basedir: /etc/fail2ban
   

   Use log file : /var/log/messages
   Use encoding : UTF-8

   Results

    Failregex: 27 total
   

   |- #) [# of hits] regular expression
   | 1) [27] ^\s*(<[^.]+.[^.]+>)?\s*(?:\S+ )?(?:kernel: [ \d+.\d+] )?(?:@vserver_\S+ )?(?:(?:[\d+])?:\s+[[(]?sshd(?:(\S+))?[])]?:?|[[(]?sshd(?:(\S+))?[])]?:?(?:[\d+])?:?)?\s(?:[ID \d+ \S+])?\sDid not receive identification string from \s*$
   `-
   Ignoreregex: 0 total

   Lines: 39917 lines, 0 ignored, 27 matched, 39890 missed [processed in 8.54 sec]
   Missed line(s): too many to print. Use --print-all-missed to print all 39890 lines

7. For verbose output please use :

   fail2ban-regex -v /var/log/messages /etc/fail2ban/filter.d/sshd-ddos.conf

Thank for your inputs

Like you demonstrate us you are using custom template, it is a quick solution, but I cannot provide a solution with a custom template for a rpm. I would prefer that the core accept the PR

-  BLACKLIST="NEW,INVALID,UNTRACKED"
+ BLACKLIST="ALL"

the explanation why you did it

The default Shorewall configuration is with “BLACKLISTNEWONLY=Yes” (see file /etc/shorewall/shorewall.conf). This means that when Fail2ban adds a new shorewall rule to ban an IP address, that rule will affect only new connections. So if the attempter goes on trying using the same connection he could even log in. In order to get the same behavior of the iptable action (so that the ban is immediate) the /etc/shorewall/shorewall.conf file should me modified with BLACKLISTNEWONLY=No". Note that as of Shorewall 4.5.13 BLACKLISTNEWONLY is deprecated; however the equivalent of BLACKLISTNEWONLY=No can now be achieved by setting BLACKLIST=“ALL”.

@giacomo what do you think of that

- blocktype = reject
+ blocktype = drop

yep it is always the same question, reject with an icmp answer, or drop silently fun that they choose the first solution by default.

maybe I could provide a /etc/fail2ban/action.d/shorewall.local with your changes

link to documentation Level up IRL: fail2ban with Shorewall

As for service i suggest adding filter for :
ejabberd

[ejabberd-auth]
enabled = true
port    = 5222
logpath = /var/log/ejabberd/ejabberd.log
maxretry  = 2

Mail service and Web mail service

[root@nethserver-dev ~]# fail2ban-client status
Status
|- Number of jail:	16
`- Jail list:	apache-auth, apache-badbots, apache-fakegooglebot, apache-nohome, apache-noscript, apache-overflows, dovecot, mysqld-auth, pam-generic, postfix, postfix-rbl, recidive, roundcube-auth, sieve, sshd, sshd-ddos

I have not done the jabber jail yet, I will do it later. Actually around 16 jails

As for this all explanation is in /etc/fail2ban/action.d/shorewall.conf

But it works with BLACKLIST=“NEW,INVALID,UNTRACKED” too , i have rechecked

[root@nethserver shorewall]# shorewall show dynamic

Shorewall 4.6.4.3 Chain dynamic at nethserver.itc-s.net - Sat Dec 12 00:42:02 EET 2015

Counters reset Sat Dec 12 00:38:04 EET 2015

Chain dynamic (10 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       72.55.159.236        0.0.0.0/0
    0     0 DROP       all  --  *      *       72.55.159.234        0.0.0.0/0

Sorry for the late response!

Since this option is strictly related to dynamic blacklist (which are unused at this time) I don’t see any drawback on changing the default value to “ALL”.
Or, at least, we can use the new default shorewall value: “NEW,ESTABLISHED,INVALID,UNTRACKED.”
(See http://shorewall.net/manpages/shorewall.conf.html)

Yes it works, but with this configuration it will not block the established connections.
IMHO this is why the option doesn’t affect fail2ban behavior.

I think the “drop” action is much better when blocking external connections.

Recap
If you need, we can change the default value of BLACKLIST option: just say it and I will open the issue and do the modification.

thank a lot we will see later, I need exterior views on other questions @filippo_carletti @giacomo @devteam

I’m looking to have something workable following the kiss vision, the less needed admin action. In short you install the service apache (for example) and the apache fail2ban jail is activated.

For that in my template, I’m looking after the status of apache and also after the status of each jail

https://github.com/stephdl/nethserver-fail2ban/blob/ns6devel/root/etc/e-smith/templates/etc/fail2ban/jail.local/10apache.local

The status of each jail is important because we cannot activate all jails at the same time (some are redundant, other not wanted, the time grows for starting the fail2ban service following the number of jails) and at the end I want to let the choice to the admin if he wants this jail or not.

My issue concerns how expand the templates and restart the service of fail2ban when you install a new rpm, OR change the status of a service (runlevel-adjust) OR if you change the port of a service (event firewall-adjust).

With all modules installed, fail2ban takes 13 second for restarting, around 8-10 seconds for reloading its configuration…this is where is my problem.

If I use the runlevel-adjust AND the firewall-adjust in the same time, the template and the service will be expanded/restarted two times when I install a rpm and 25 seconds can be a really long time to wait.

Therefore I see few solutions

• Launch the event nethserver-fail2ban-save manually after each module installation. I don’t like this solution.
• If the action ‘shorewall’ is used, all ports are blocked to the attacker, I don’t need to specify the port number, so expanding/restarting the template/service of fail2ban when you change a tcp port is useless…I can avoid the ‘firewall-adjust’ event and use only the runlevel-adjust.

my other question is relative to the db properties I made, for now I did a lot of db but with fall back options in the templates, I wonder I didn’t make too much. Generally speaking I make only visible properties for the status, others are hidden, but it needs to read the documentation if you want find them.

https://github.com/stephdl/nethserver-fail2ban/tree/ns6devel/root/etc/e-smith/db/configuration/defaults/fail2ban

Of course at the end, a panel could be made…

I prefer this one.
It’s a little bit slow, but we can’t workaround it and should work in most scenarios.

Your implementation is good and clean, but I agree with you on the number of db properties. This is my suggestion: most of users will not need to change maxretry option for each sub-jail (like apache-badbots or apache-noscript), so we could remove the property and leave this type of customization to a custom template.

To further simplify the configuration, I was wondering if we can have only a global “ApacheStatus” property: if this is set to true, all sub-jails will be enabled. What do you think?

Ok but I need to do a ‘conflicts’ dependency in the spec file…shorewall is by default with NS6.7 and I don’t want to force the upgrade for other versions.

agreed or let hidden properties in template, if needed, no need to do a custom template. Just for explaining why I did this type of ‘maxretry’, they were in the initial configuration file, so if the fail2ban developers write them, they have their reasons.

Sorry I worry to badly understand, actually it works like this

• look after the service status of apache
• if enabled write the template
• following the status property of each jail write ‘true’ or ‘false’ (maybe we can hide properties in the template and let visible only really important property, I mean : BanAction, BanTime, FindTime, IgnoreIP, MaxRetry, status, type)

for now I have three jails disabled by default for apache

ApacheBotsearch_status false (redundant with badbots)
ApacheModsecurity_status false (maybe it should be enabled)
ApacheShellshock_status false (disabled because I suppose that the shellshock is not concerning NS)

for documentation of filters → fail2ban/config/filter.d at master · fail2ban/fail2ban · GitHub

Dears, It is my 2 cent from practice.

1. First of all we should check all filters for compabilty with our log files, if not make our custom filters.
2. While setting up fail2ban all our services should have suitable jail and be disabled (except ssh) jail.local file.
3. While setting up Aspache or other service jail becomes enabled ( “maxretry” should be 10 - as for my practice in production)
4. as for db : name,maxretry,bantime,findtime
5. we need tool for unban, because it is quite complicated for newbies.

I agree , this needs to be tested on real servers, I have just tested the sshd jail for now

can be changed individually with hidden property or globally with a MaxRetry property

well it is not hard, this should be documented

shorewall show dynamic #see banned IP
shorewall allow {IP} #unban IP

I did a little script fail2ban-listban for listing all IP currently banned in all jail, it will help for debugging

For now the local network is ignored, but you can make an exception(BanLocalNetwork enabled), and also add other IP that you want to be never banned. (IgnoreIP property, comma list separated)

I will try to release the alpha tonight.

Wow that’s awesome!

a bit postponed…coming soon

Looking forward testing it out

I am having issues figuring this out and i am under attack at the moment… Really need the direct information on what the steps are for installation… I know how to configure it because i use it on my debian servers…

Here is what i am getting…

[root@webserver ~]# yum update
Loaded plugins: changelog, fastestmirror, nethserver_events, presto
Setting up Update Process
Loading mirror speeds from cached hostfile
 * centos-base: ca.mirror.babylon.network
 * centos-updates: ca.mirror.babylon.network
 * nethserver-base: mirror.nethserver.org
 * nethserver-updates: mirror.nethserver.org
No Packages marked for Update
[root@webserver ~]# yum install fail2ban
Loaded plugins: changelog, fastestmirror, nethserver_events, presto
Setting up Install Process
Loading mirror speeds from cached hostfile
 * centos-base: ca.mirror.babylon.network
 * centos-updates: ca.mirror.babylon.network
 * nethserver-base: mirror.nethserver.org
 * nethserver-updates: mirror.nethserver.org
No package fail2ban available.
Error: Nothing to do
[root@webserver ~]#