Nethserver-fail2ban needs testers

@stephdl - amazing and it works!

My 2 cent, there should not be so many checkboxes, there should be 3 or more groups like SSH, WEB, MAIL, FTP, and drop down list for enabling this specific group.

1 Like

Cheers! :wine_glass:

1 Like

Yep this can be done…Will do after the fossdem

2 Likes

@davidep does nethgui log something (and where) when a user is not allowed because a failed password, we can imagine to do our own regex.

IIRC failed logins could be into /var/log/secure, normal log is directed to /var/log/httpd-admin/error_log and /var/log/messages

any error authentication

/var/log/secure :

Feb 3 23:32:40 nethserver perl: pam_succeed_if(system-auth:auth): error retrieving information about user sdd

it is one mention about the unsuccesfull log in attempt.

Back on my issue :smile:

good catch @Nas but useless since we have no IP addresses to ban :frowning:

@giacomo @davidep I can catch something interesting in logs when the login is refused (code 400, code 200 is an accepted login)

  192.168.xx.xx - - [18/Feb/2016:16:36:37 -0500] "POST /fr-FR/Login.json HTTP/1.1" 400 1055

can we play with this or we might have something better to eat…something like ribs and beers

1 Like

I could play with anything with beer actually

1 Like

On httpd admin we should edit log parameters :wink:

which parameters would you edit to get the IP of the attacker ?

in fact I need something like that in logs

Feb 19 11:37:25 nethserver-dev perl: pam_unix(system-auth:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=192.168.xx.xx user=root

instead of

Feb 19 11:37:25 nethserver-dev perl: pam_unix(system-auth:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=root

this is the example of jail that we need to trick → Fail2ban - Proxmox VE

got it :slight_smile:

@stephdl what was done ?

I made a jail against bad authentications to the server-manager, did the help page, and what you asked on the jails status checkbox

1 Like
yum install http://mirror.de-labrusse.fr/nethserver/nethserver-fail2ban/nethserver-fail2ban-0.0.5-1.ns6.sdl.noarch.rpm --enablerepo=epel

new version

* Sat Feb 20 2016 Stephane de Labrusse <stephdl@de-labrusse.fr> - 0.0.5-ns6
- New jail against bad authentication to httpd-admin
- Help page created
- Enhancement of the jail status  with expandable menu.

after the number of login set, the ip with failed attempts will be banned (wiith a simple bantime), you can deactivate the jail (httpd-admin = server-manager)

5 Likes

Looks good!

There are two additional enhancements:

  1. We need DashBoard module for Fail2ban, where we can see:

jail name number of blocked IP
total blocked IP

  1. We need UNBLOCK button with IP address field when someone complains; you do not need to go to ssh, only input IP and press UNBLOCK.
5 Likes

Why not, I need to learn some code on dasboard, but I’m more concerned by the fact that the dashboard is only visible by the root/admin user, and no other users (they are redirected to their user profile) @giacomo, @davidep, @filippo_carletti, @alep, @stephdl, @Stll0, @alefattorini for ns7, something should be done.

I need to make a new page with all banned IP and the unban button, the main issue here is that the panel is written as a single page without Tabs, so the code needs to move a bit, but nothing unrealisable. If we want something more hard, and probably the best way on how to do it, we could imagine to create a table of all banned IPs with a button to unban at the end of each line.

:))

5 Likes

Why other users and not only for sysadmins?
IMO this is a security matter and only the sysadmin can take a decision.
Or a Power User like on Windows?

the dashboard and the profile user share the same code, a test is done, and only the admin can see the dashboard even if I delegate it with nethserver-delegated-panel or if I create special group managers or administrators (http://docs.nethserver.org/en/latest/accounts.html#groups)

Hello Stephane,

Thank you for your answer.
From my point of view, it’s OK. Only the sysadmin can take the decision to release a banned IP or not.