I set up nethserver 7.5. and integrated a Windows 7 machine in AD. I installed Thunderbird, Nextcloud app and mattermost app on the Windows 7 client. Within my home network everthing is fine.
When beeing external, e.g. travelling on a guest WLan, for some reasons fail2ban blocks the IP of the host. E.g. during my vaccation, the IP of the hotel got blocked from some activietes.
Consequently I am not able to connect to sogo, cloud or any other service. For some WLANs, I can set up an exception IP, but this is not meaningfull for all cases (e.g. the hotel wlan)
fail2ban is triggered mainly by apache-auth service. Does anybody has an idea, how to find out which service on my windows client triggers the blocking? Which service “fires” to nethserver causing the block?
This filter matches the authorization failures of Apache. It takes the log messages
from the modules in aaa that return HTTP_UNAUTHORIZED, HTTP_METHOD_NOT_ALLOWED or
HTTP_FORBIDDEN and not AUTH_GENERAL_ERROR or HTTP_INTERNAL_SERVER_ERROR.
In /var/log/fail2ban.log you see the fail2ban entries/bans. You may follow the log with tail -f /var/log/fail2ban.log while trying to reproduce the bans with an external client to check when the ban occurs. You may get more details in /var/log/httpd/ssl_error_log or /var/log/httpd/error_log.
I think it could be some saved wrong user/password in a browser.
I got an Idea, but I am not sure. I kindly ask for a counter check.
The regex within /etc/fail2ban/filter.d/apache-auth.conf seems to match
the text “client denied by server configuration:”
In my /var/log/httpd/error_log I do find:
[Thu Aug 16 08:34:49.129189 2018] [access_compat:error] [pid 16245] [client 185.46.214.86:19132] AH01797: client denied by server configuration: /var/www/html/wpad.dat
[Thu Aug 16 08:34:49.187062 2018] [access_compat:error] [pid 16245] [client 185.46.214.86:19132] AH01797: client denied by server configuration: /var/www/html/wpad.dat
[Thu Aug 16 08:34:49.247098 2018] [access_compat:error] [pid 16245] [client 185.46.214.86:19132] AH01797: client denied by server configuration: /var/www/html/wpad.dat
It seems to be related to wpad.dat …
I counterchecked firefox and found that it is not configured to “no proxy” but to “system proxy”. corrected that - lets see if this helps …
check in /var/log/fail2ban.log what is the jail who banned, then use fail2ban-regex to retrieve the lines who triggered the ban, for example this is the apache-auth
[root@prometheus ~]# fail2ban-client status apache-auth
Status for the jail: apache-auth
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/httpd/error_log /var/log/httpd/ssl_error_log
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
fail2ban-regex /var/log/httpd/error_log /etc/fail2ban/filter.d/apache-auth.conf --print-all-matched
or fail2ban-regex /var/log/httpd/ssl_error_log /etc/fail2ban/filter.d/apache-auth.conf --print-all-matched
you should be able to understand which lines matched, after that adapt it to the relevant log file, mainly if it was rotated
^%(_apache_error_client)s (AH(01797|01630): )?client denied by server configuration: (uri )?\S*(, referer: \S+)?\s*$
in /etc/fail2ban/filter.d/apache-auth.
I changed to
^%(_apache_error_client)s (AH(01797|01630): )?client denie_d by server configuration: (uri )?\S*(, referer: \S+)?\s*$
for trail purpose - currently I am with my customer / external. I will report this evening if I got kicked out again.
THX, YES, this is why the issue is annoying but it does not hit me hard I use nethserver LDAP with a dedicated group to connect VPN using my router (Draytek Vigor offering VPN auth based on Internal DB, Internal / External Radias or external LDAP / AD)
Ok I could not try command due to restarts, remove from jail etc. However after changing the first regex line of
/etc/fail2ban/filter.d/apache-auth
to
^%(_apache_error_client)s (AH(01797|01630): )?client denie_d by server configuration: (uri )?\S*(, referer: \S+)?\s*$
I was not kicked out anymore. For some reasons my laptop tries to access wpad file from external and causes jailing…
No, but it is windows: Most software besides internet explorer / edge needs to be set up separately. In my case firefox was pointing to “use system defaults”, while system was set up to recognize automatically.
But anyway: any client software needs to be set up seperatly … therefor I prefer a general system setup.
Yes, but this resolves just IE and Windows itself. Firefox (and many other, e.g. nextcloud desktop client) my have individual settings (or point to system default)… It will be hard to figure out for all clients