FAIL2BAN: Something kicks me out when external

fail2ban

(Thorsten) #1

NethServer Version: 7.5
Module: fail2ban

Hi,

I set up nethserver 7.5. and integrated a Windows 7 machine in AD. I installed Thunderbird, Nextcloud app and mattermost app on the Windows 7 client. Within my home network everthing is fine.

When beeing external, e.g. travelling on a guest WLan, for some reasons fail2ban blocks the IP of the host. E.g. during my vaccation, the IP of the hotel got blocked from some activietes.

Consequently I am not able to connect to sogo, cloud or any other service. For some WLANs, I can set up an exception IP, but this is not meaningfull for all cases (e.g. the hotel wlan)

fail2ban is triggered mainly by apache-auth service. Does anybody has an idea, how to find out which service on my windows client triggers the blocking? Which service “fires” to nethserver causing the block?

TIA
Thorsten


(Markus Neuberger) #2

From /etc/fail2ban/filter.d/apache-auth.conf:

This filter matches the authorization failures of Apache. It takes the log messages
from the modules in aaa that return HTTP_UNAUTHORIZED, HTTP_METHOD_NOT_ALLOWED or
HTTP_FORBIDDEN and not AUTH_GENERAL_ERROR or HTTP_INTERNAL_SERVER_ERROR.

In /var/log/fail2ban.log you see the fail2ban entries/bans. You may follow the log with tail -f /var/log/fail2ban.log while trying to reproduce the bans with an external client to check when the ban occurs. You may get more details in /var/log/httpd/ssl_error_log or /var/log/httpd/error_log.

I think it could be some saved wrong user/password in a browser.


(Thorsten) #3

I got an Idea, but I am not sure. I kindly ask for a counter check.

  1. The regex within /etc/fail2ban/filter.d/apache-auth.conf seems to match
    the text “client denied by server configuration:”
  2. In my /var/log/httpd/error_log I do find:

[Thu Aug 16 08:34:49.129189 2018] [access_compat:error] [pid 16245] [client 185.46.214.86:19132] AH01797: client denied by server configuration: /var/www/html/wpad.dat
[Thu Aug 16 08:34:49.187062 2018] [access_compat:error] [pid 16245] [client 185.46.214.86:19132] AH01797: client denied by server configuration: /var/www/html/wpad.dat
[Thu Aug 16 08:34:49.247098 2018] [access_compat:error] [pid 16245] [client 185.46.214.86:19132] AH01797: client denied by server configuration: /var/www/html/wpad.dat

It seems to be related to wpad.dat …
I counterchecked firefox and found that it is not configured to “no proxy” but to “system proxy”. corrected that - lets see if this helps …

Is that a possible root cause?

THX
Thorsten


(Thorsten) #4

… and another question:

What are the standard filters of fail2ban which are enabled by default within nethserver?
What are the recommended filter to enable ?

THX
Thorsten


(Markus Neuberger) #5

Maybe a proxy is set in Windows internet settings? It is used when firefox is set to “system proxy”.

It depends on the apps you installed.

The recommended filters are enabled by default.

http://docs.nethserver.org/en/v7/fail2ban.html


(Michael Kicks) #6

Maybe the facility that @thorsten use some kind of UTM?
I used the IP reported into log, therefore i found ZScaler as UTM.

Consider to implement VPN connection as alternative…


(Stéphane de Labrusse) #7

check in /var/log/fail2ban.log what is the jail who banned, then use fail2ban-regex to retrieve the lines who triggered the ban, for example this is the apache-auth

[root@prometheus ~]# fail2ban-client status apache-auth
Status for the jail: apache-auth
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	0
|  `- File list:	/var/log/httpd/error_log /var/log/httpd/ssl_error_log
`- Actions
   |- Currently banned:	0
   |- Total banned:	0
   `- Banned IP list:	

fail2ban-regex /var/log/httpd/error_log /etc/fail2ban/filter.d/apache-auth.conf --print-all-matched
or
fail2ban-regex /var/log/httpd/ssl_error_log /etc/fail2ban/filter.d/apache-auth.conf --print-all-matched

you should be able to understand which lines matched, after that adapt it to the relevant log file, mainly if it was rotated

fail2ban documentation


(Thorsten) #8

Hi,

meanwhile, I am quite sure it is line

^%(_apache_error_client)s (AH(01797|01630): )?client denied by server configuration: (uri )?\S*(, referer: \S+)?\s*$

in /etc/fail2ban/filter.d/apache-auth.
I changed to
^%(_apache_error_client)s (AH(01797|01630): )?client denie_d by server configuration: (uri )?\S*(, referer: \S+)?\s*$

for trail purpose - currently I am with my customer / external. I will report this evening if I got kicked out again.

THX
Thorsten


(Stéphane de Labrusse) #9

the next rpm update of fail2ban will enable again this regex, you could disable it if you prefer, or find why your browser activates this jail


(Thorsten) #10

THX, YES, this is why the issue is annoying but it does not hit me hard :slight_smile: I use nethserver LDAP with a dedicated group to connect VPN using my router (Draytek Vigor offering VPN auth based on Internal DB, Internal / External Radias or external LDAP / AD) :slight_smile:

I will try to find out

THX
Thorsten


(Stéphane de Labrusse) #11

when I am sure of something, I am quite sure to be wrong, the fact and proof are better, please try fail2ban-regex


(Thorsten) #12

:slight_smile: :slight_smile: :slight_smile:


(Thorsten) #13

Dear Stephane,

Ok I could not try command due to restarts, remove from jail etc. However after changing the first regex line of
/etc/fail2ban/filter.d/apache-auth
to
^%(_apache_error_client)s (AH(01797|01630): )?client denie_d by server configuration: (uri )?\S*(, referer: \S+)?\s*$
I was not kicked out anymore. For some reasons my laptop tries to access wpad file from external and causes jailing…

Best regards
Thorsten


(Michael Kicks) #14

@thorsten does the OS of your laptop asks for proxy configuration into lan?


(Thorsten) #15

No, but it is windows: Most software besides internet explorer / edge needs to be set up separately. In my case firefox was pointing to “use system defaults”, while system was set up to recognize automatically.

But anyway: any client software needs to be set up seperatly … therefor I prefer a general system setup.


(Michael Kicks) #16

Until Windows 8/8.1 Internet Explorer options = System options.
Also, in Windows 10 under the “settings” cover still lies Internet Options.

Which could also look for a WPAD file…


(Thorsten) #17

Yes, but this resolves just IE and Windows itself. Firefox (and many other, e.g. nextcloud desktop client) my have individual settings (or point to system default)… It will be hard to figure out for all clients :slight_smile:


(Markus Neuberger) #18

Maybe this old tool is helpful here, you may check for wpad in remote address and port 3128 to find the app that wants to connect to proxy.