How to add new fail2ban ipset to firewall?

Reheer · March 8, 2021, 7:20pm

NethServer Version: 7.9.2009
Module: Fail2ban 1.5.7

Hi all,

I managed to create a basic fail2ban configuration for Matrix/Synapse, an ipset is created and my test-ip is added to the ipset.
But the ipset is not used in the firewall.

How can I add the ipset?

Thanks,
René

stephdl · March 8, 2021, 9:33pm

check in /etc/fail2ban.filters.d and create a jail in /etc/fail2ban/jail.local

jookk · March 9, 2021, 4:33am

but after signal-event nethserver-fail2ban-save new filter is not active.
I have installed wordpress manually by separate vhost (2wp sites) and needed fail2ban wordpress-hard activated. (I finally moved to ns )

Reheer · March 11, 2021, 3:40pm

Hi Stéphane,

I can not get it to work

I tried the following:

I created the file: /etc/fail2ban/filter.d/matrix-synapse.conf with the following content.

# matrix-synapse configuration file
#
[Init]
maxlines = 3
[Definition]
# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
failregex = .*synapse.*8008.*\n.*synapse.*8008.*None - <HOST> - 8008.*403.*
#
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

I checked this with fail2ban-regex and the correct lines are matched. This is an example of the lines to be matched.

2021-03-11 14:23:13,733 - synapse.http.server - 86 - INFO - None - <XForwardedForRequest at 0x7ff17faa3cc0 method='POST' uri='/_matrix/client/r0/login' clientproto='HTTP/1.1' site='8008'> SynapseError: 403 - Invalid password
2021-03-11 14:23:13,734 - synapse.access.http.8008 - 316 - INFO - None - 10.46.1.173 - 8008 - {None} Processed request: 0.038sec/-0.000sec (0.001sec, 0.000sec) (0.000sec/0.000sec/0) 52B 403 "POST /_matrix/client/r0/login HTTP/1.1" "Mozilla/5.0 (iPhone; CPU iPhone OS 14_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.3 Mobile/15E148 Safari/604.1" [0 dbevts]

Although in the file itself it says not to alter anything because it will be overwritten (I think that is what @jookk is referring to… ) I added the following to /etc/fail2ban/jail.local

[matrix-synapse]
enabled = true
filter = matrix-synapse
logpath = /opt/synapse/homeserver.log
maxretry = 3

To make sure everything that needs to be restarted is restarted, I reboot my NS VM. The fail2ban.log file shows (amongst others):

2021-03-11 16:20:54,252 fail2ban.filter         [8431]: INFO    Added logfile: '/opt/synapse/homeserver.log' (pos = 31016, hash = ba87bf00f873627c41466c6f317b9371)
2021-03-11 16:20:54,350 fail2ban.jail           [8431]: INFO    Jail 'matrix-synapse' started

I test the setup by logging in from another machine. My failed attempts are registered by fail2ban and a ban is created:

2021-03-11 16:21:26,422 fail2ban.filter         [8431]: INFO    [matrix-synapse] Found 10.46.1.173 - 2021-03-11 16:21:26
2021-03-11 16:21:28,629 fail2ban.filter         [8431]: INFO    [matrix-synapse] Found 10.46.1.173 - 2021-03-11 16:21:28
2021-03-11 16:21:33,846 fail2ban.filter         [8431]: INFO    [matrix-synapse] Found 10.46.1.173 - 2021-03-11 16:21:33
2021-03-11 16:21:34,564 fail2ban.actions        [8431]: NOTICE  [matrix-synapse] Ban 10.46.1.173

The ipset shows the ban

ipset list f2b-matrix-synapse
Name: f2b-matrix-synapse
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536 timeout 600
Size in memory: 216
References: 0
Number of entries: 1
Members:
10.46.1.173 timeout 1029

But the ipset is not in iptables:

# iptables -L | grep -i matrix
#

I once had an error in the fail2ban.log, but this has not shown up again:

2021-03-11 14:46:35,439 fail2ban.utils          [10080]: ERROR   7f8579c13100 -- exec: ipset add f2b-matrix-synapse 10.46.1.173 timeout 1800 -exist
2021-03-11 14:46:35,439 fail2ban.utils          [10080]: ERROR   7f8579c13100 -- stderr: 'ipset v7.1: The set with the given name does not exist'
2021-03-11 14:46:35,439 fail2ban.utils          [10080]: ERROR   7f8579c13100 -- returned 1
2021-03-11 14:46:35,439 fail2ban.actions        [10080]: ERROR   Failed to execute ban jail 'matrix-synapse' action 'shorewall-ipset-proto6' info 'ActionInfo({'ip': '10.46.1.173', 'bantime': 1800, 'fid': <function <lambda> at 0x7f857b402cf8>, 'family': 'inet4', 'raw-ticket': <function <lambda> at 0x7f857b403320>})': Error banning 10.46.1.173

Have you got any idea what I can do to solve this?

Reheer · May 6, 2021, 3:43pm

Hello everyone,

I’ve been looking into this again. And am starting to wonder whether or not this is even possible.

Apart from what I described above, I tried to add matrixsynapse to the templates in /etc/e-smith/templates/etc/fail2ban/jail.local.
I created the file 10matrixsynapse with the following contents:

{
    use NethServer::Fail2Ban;
    my $maxretry = $fail2ban{MatrixSynapse_MaxRetry} || $fail2ban{MaxRetry} || '3';
    return ("\n#matrix-synapse not used on this server\n") if (! NethServer::Fail2Ban::listMatrixSynapseJails());

    foreach (NethServer::Fail2Ban::listMatrixSynapseAuthJails()) {
        $OUT .= "\n[$_]\n";
        $OUT .= "enabled = true\n";
        $OUT .= "logpath = /opt/synapse/homeserver.log\n";
        $OUT .= "maxretry = $maxretry\n\n";
    }
}

I ran the following to add the settings to the configuration e-smith database:

config setprop fail2ban MatrixSynapse_status true
config setprop fail2ban MatrixSynapse_MaxRetry 3

The result is that running the nethserver-fail2ban-save command (from the cockpit) results in an error. Only removing the file and the database entries resolves this.

Can anyone tell me:

Whether it is even possible to add a jail and get it working?
What I am doing wrong?
What else I can try to debug this?

Thanks in advance!

René

stephdl · May 7, 2021, 7:05am

At the start of shorewall we create the ipset

github.com

NethServer/nethserver-fail2ban/blob/3fe6c741515df75b0751d027862efb54aca07e08/root/etc/e-smith/templates/etc/shorewall/initdone/20fail2ban

{
    # create the ipset jail in iptables
    # no rules if status disabled
    use NethServer::Fail2Ban;
    return "" if ($fail2ban{'status'} ne 'enabled');
    my $bantime= $fail2ban{'BanTime'} || '1800';
    foreach (NethServer::Fail2Ban::listAllJails()) {
        if ($_ eq 'recidive') {
            # max ban time for ipset is 2147483 seconds
            $OUT .= "system(\"/usr/sbin/ipset -quiet -exist create f2b-recidive hash:ip timeout 1209600 \");\n";
        } else {
            $OUT .= "system(\"/usr/sbin/ipset -quiet -exist create f2b-$_ hash:ip timeout $bantime \");\n";
        }
    }
    $OUT .= '1;';
}

If the set is not created then you got error I bet

stephdl · May 7, 2021, 7:06am

list of jail comes from

github.com

NethServer/nethserver-fail2ban/blob/master/lib/perl/NethServer/Fail2Ban.pm

#
# Copyright (C) 2019 Nethesis S.r.l.
# http://www.nethesis.it - nethserver@nethesis.it
#
# This script is part of NethServer.
#
# NethServer is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License,
# or any later version.
#
# NethServer is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with NethServer.  If not, see COPYING.
#
package NethServer::Fail2Ban;

This file has been truncated. show original

stephdl · May 7, 2021, 7:06am

I think we have lost the modularity :-?

drop a script in /etc/e-smith/templates/etc/shorewall/initdone/ to create the ipset

system("/usr/sbin/ipset -quiet -exist create f2b-postfix-ddos hash:ip timeout 60 ");

Reheer · May 7, 2021, 9:56am

Merci beaucoup, Stéphane!

This was the missing link.

I added the following to /usr/share/perl5/vendor_perl/NethServer/Fail2Ban.pm

in sub listAllJails {:

# added for Matrix-Synapse
    push(@jails, listMatrixSynapseJails());

and directly under listAllJails:

# added for Matrix-Synapse
sub listMatrixSynapseJails() {
    my @jails;
    my $status = $db->get_prop('fail2ban', 'MatrixSynapse_status') || 'true';

    if (( -f '/opt/synapse/homeserver.log') &&
      ($status eq 'true')) {
        push(@jails, 'matrixsynapse');
    }
    return @jails;
}

To recap (and document): apart from above modification I did the following

create the file /etc/fail2ban/filter.d/matrixsynapse.conf with the following contents:

# matrix-synapse configuration file
#
[Init]
maxlines = 3
[Definition]
# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
failregex = .*synapse.*8008.*\n.*synapse.*8008.*None - <HOST> - 8008.*403.*
#
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

create the file /etc/e-smith/templates/etc/fail2ban/jail.local/10MatrixSynapse with the following contents:

{
    use NethServer::Fail2Ban;
    my $maxretry = $fail2ban{MatrixSynapse_MaxRetry} || $fail2ban{MaxRetry} || '3';
    return ("\n#matrix-synapse not used on this server\n") if (! NethServer::Fail2Ban::listMatrixSynapseJails());

    foreach (NethServer::Fail2Ban::listMatrixSynapseJails()) {
        $OUT .= "\n[$_]\n";
        $OUT .= "enabled = true\n";
        $OUT .= "logpath = /opt/synapse/homeserver.log\n";
        $OUT .= "maxretry = $maxretry\n\n";
    }
}

add the settings to the configuration e-smith database:

config setprop fail2ban MatrixSynapse_status true
config setprop fail2ban MatrixSynapse_MaxRetry 3

After a reboot everything works as expected.

Last question (on this subject): will my modification to Fail2Ban.pm be permanent or should I modify it whenever a update is rolled out?

Regards,

René

stephdl · May 7, 2021, 10:08am

my next upgrade will remove it, but now we could talk to integrate it to Fail2ban, or I think you could still make it workable on your own

I recently got a hint to make a jail for samba file share