Nethserver-fail2ban needs testers

People asked it many times in the past, it’s a great module :+1:

@filippo_carletti mail option can be configured as you want :smile:

I would prefer enable it by default, but as you find probably you can set it to disabled, look after db properties. In fact I have many emails in the admin mailbox, you can sort them by thunderbird or directly by sieve and sogo/roundcube/… (the best solution).
Each email is dropped to a folder, sorted by the topic, and like this you can still have error emails dropped in the Inbox master folder. I think it is one way to catch the attention if something goes wrong.

Fail2ban is now installed on www.nethserver.org.

Enabled jails:

Status
|- Number of jail: 16
`- Jail list: apache-auth, apache-badbots, apache-fakegooglebot, apache-modsecurity, apache-nohome, apache-noscript, apache-overflows, apache-scan, apache-shellshock, mysqld-auth, pam-generic, postfix, postfix-rbl, recidive, sshd, sshd-ddos

I will report here how it behaves.
I agree with @filippo_carletti on mails sent during the process startup, it’s a bit annoying :smile:

All activities are logged in the fail2ban’s logs, so it can be imagined to shutdown the administrative emails…keep us in touch for the number of banned IP :stuck_out_tongue:

We should implement logwatch service

First banned IP:

The IP 173.201.185.6 has just been banned by Fail2Ban after
3 attempts against apache-fakegooglebot.

Well, fail2ban is working! :smiley:

3 Likes

If I may, congrats to all, especially to @stephdl for the good idea!

When will be available from Software center?
I know F2B can be installed right now but when will be available in Software Center the solution will be completed as NS module.

BR
Gabriel

1 Like

fail2ban-listban is good to see all jails and the number of IP currently/totally banned…it is not an official tools.

Now the jail time is set to 600 seconds, and I mean that it can be set to 1800 seconds in a real environment.

I don’t know :slight_smile: maybe we can set a little webui, even If I designed the module to protect your system when a new service is installed.

Since this morning, I received 44 emails from fail2ban running on www.nethserver.org. 32 of them regard a stop/start event, the rest are banned IPs.
As you may imagine, I usually filter emails out of my inbox (I know sieve :grin:), but it still seems a bit too verbose to me.
That’s why I proposed to disable email by default in the future final version (I agree that in this test phase email are useful).

why ?

did you install some rpm, the event runlevel-adjust does a restart and expand the templates of fail2ban.

Normally the service fail2ban must not restart alone

Not me, but the restart cause is an rpm install.

In one week running on www.nethserver.org, fail2ban has triggered 30 times, 21 on apache (scan, fake bots) and 7 on ssh, plus 2 recidives. Offenders were from China, France, Korea, Ukraine, USA and Mexico. Some scans repeat every 2/3 days, those may be “legitimate” research projects, I didn’t investigate further.

Next step could be installing on a mail server, maybe mail.nethesis.it is a good candidate.

2 Likes

Working on the UI

1 Like

That’s great! :+1:

Install the version nethserver-fail2ban-0.0.3-1 then test and report for the WebUI

The Help page is not done.

1 Like

what about this screenshot I have tweaked the UI, does it is better ?

6 Likes

Great work. :open_mouth: Nothing to add. :wink:

1 Like

1 Like

New version, I still need to do the help page, WIP after the Fosdem…tonight I need to take time for me, I have just finished my last glass of Laphroaig, the earth must stop to turn around the sun.

yum install http://mirror.de-labrusse.fr/nethserver/nethserver-fail2ban/nethserver-fail2ban-0.0.4-1.ns6.sdl.noarch.rpm --enablerepo=epel
4 Likes