At me, yes. But whitelisting is obsolete when my DSL router changes its dynamic IP address.
I always refused to add a domain name to the whitelist but I am quite sure it could work … Sometime a developer does not reach the need of sysadmin
:-?
I’m having a hard time understanding how it could help.
Do you mean the following mechanism I practice for VPN dial-up to my DSL router?
- my DNS provider determines via ddclient my current dyamic address at the gateway.
- my DNS provider assigns this as A-record to a subdomain like
vpn.mydomain.tld - I whithelist the subdomain
vpn.mydomain.tldwith the current dynamically assigned IP address
I mean in /etc/fail2ban/jail.local add to
ignoreip = 127.0.0.1 stephdl.dynamic.ip.provider.net
restart fail2ban then
2021-04-20 11:45:40,422 fail2ban.filter [26521]: INFO [sogo-auth] Ignore 90.1.xxx.xxx by dns
Then your dynamic IP will be ignored by fail2ban but the UI will create an error because the validation accept only IP or network
@giacomo @filippo_carletti what do you think if we could accept dynamic domain inside the UI of fail2ban
Like this we could be sure to be not banned when you do not have a static IP ?
fail2ban accepts hostnames, I don’t know why we limited the interface to IPs only. 
5 Likes
At the start I even refused to add CIDR 
@capote it is coming
https://github.com/NethServer/nethserver-fail2ban/pull/113
With this you can add FQDN or hostname
1 Like
This is the same as I thought. The difference is that I don’t need a separate subdomain like dynip.mydomain.de because I have one for VPN dialup called vpn.mydomain.de.
One big request…
Could you please integrate the ability to comment on the whitelisted IPs, CIDR or domains so that everyone can document the reason for white listening, as…
#Admins LAN
stephdl.dynamic.ip.provider.ne
#uptimerobot 1
72.55.136.192/28
#anything else
11.22.33.44
inside textarea I think it is not possible
Too bad, I thought it would be as simple as in any script. But I don’t understand any of it either.
web development is never easy, as well how to understand the good UI. Imagine comments inside a textarea, after all everything is possible I could create modals to fill the whitelist with a table like for the unban, but please go to github and check how many hundred line of code I will add for something that is a hole in the security…what withlist is
1 Like
Can anyone contribute additional relationships between triggered jail and log files to be analyzed (where more in-depth analysis would be needed)??
everything can be found in /etc/fail2ban/jail.local
Unrelated to fail2ban but a quick & dirty script to get the changing IP address of a domain (lets say of another of your publicly reachable hosts) could be something like this:
#!/bin/bash
#
# Update host object IP address (to be used with firewall rules, i.e. for public domain)
# (Requires: dig, ipcalc, e-smith commands)
#
# get IP address
ip=$( /usr/bin/basename $( /usr/bin/dig +short domain.tld A | tr '\n' '/' ) 2>&- )
# validate IPv4 address
if ! /usr/bin/ipcalc -c "$ip"; then exit; fi
# get stored IP address (if any) # hard-coded value
host='hostnamex'
oldip=$( /usr/sbin/e-smith/db hosts getprop $host IpAddress )
# set firewall object to the new IP address
if [ "$ip" = "$oldip" ]
then
exit
else
/usr/sbin/e-smith/db hosts set $host host IpAddress $ip
/usr/sbin/e-smith/signal-event firewall-adjust
fi
For instance to be used with a cron job to update the host ip address used on some firewall rules.
Probably there are better ways to do it but there’s that.
1 Like
yeah that’s good, you could imagine to add the IP to whitelist, however you need to run it each 5 minutes I bet
1 Like
testers are welcome
2 Likes
I have seen, that the ability to set an fqdn is in the cockpit gui now. Is there also an “refreshing” cron job in the updatet package to whitelist the new ip for fail2ban? And if yes how is the timegap and how can i change this?
Regards
yummiweb
Why a cronjob on fail2ban, it makes queries to the default dns server with a TTL (time to live) and when it is over it asks again I presume.
Never use FQDN if possible, for dynamic IP the cronvjob must run on the remote client server, not on your fail2ban server.
Maybe @dnutan can help, I was referring to his script
Not to my knowledge.
If the case is, for instance, a NethServer with dynamic IP from ISP pointing to a FQDN updated through ddns, then you could ran a script through a cron job to get the new IP and add it to the whitelist, but things are always more complex than they seem (whitelist new IP but what happens with old IPs now assigned to who knows who, and if FQDN has more than one IP or IPv6, etc., …surely can be done but have to give it some thought)
EDIT: sorry, I didn’t understand it properly.
It will depend on how fail2ban and the firewall act together regarding the FQDN (if fail2ban transmits only the IP or does something different). If fail2ban queries the DNS server to resolve the IP of the FQDN and then passes the IP to the firewall for block/whitelist purposes then the new IP shall be on the firewall on the next event signaled (fail2ban-update, etc.)
It could be as well as Stéphane guessed, and as fail2ban parses logs, hits the fqdn, resolves IP (with a TTL)…
Sorry for the train of though.
Here’s a parameter (use_dns warn) that logs when a dns lookup is done.
here’s a similar question:
2 Likes