|
Perhaps a silly question but can "actioncheck" be modified to reload
f2b (therefore recreate the chain) if the check fails or is the risk
of a restart loop too high? I don't need to do it as I've got round
the issue but I'm thinking more for the others. Nick On 08/04/2016 10:07, Nick Howitt wrote:
What I've found on my system (ClearOS) is, from the way the system is implemented, that a firewall restart can happen for all sorts of reasons. When it happens all f2b rules and chains get wiped. Clearly at this point, if f2b tries to add a block it will fail.To get round this I had to add a "service fail2ban reload" command to the firewall reloading (for me I added a configlet /etc/clearos/firewall.d/30-fail2ban with the command but this is distro specific) What you need to do is find the Ubuntu commands that run when the firewall (re)loads and add an f2b reload command to it. It may be that the /etc/network/if-pre-up.d is the place to put the command but it does not seem right. You'd get away with it if that is the only event which could cause the firewall to reload but is it? I would rather tag the commands directly onto the firewall reloading commands if at all possible. Note I am not sure this is really an f2b issue unless they want to address what happens to f2b when a firewall reloads. They perhaps could monitor if the firewall chains and rules redirecting traffic through the chains have disappeared then reload them or reload f2b in its entirety, but is would be an enhancement. Nick On 2016-04-08 08:21, Tom Hendrikx wrote:Hi, You have firewall rules disappearing out of the blue, and you also have fail2ban chains missing out of the blue (see error log below). Seems to be you need to look for a third process meddling with your firewall, both f2b and your loadbalancer rules are ruined over by some other process. Regards, Tom On 08-04-16 03:44, Alexander R. Gruber wrote:Hello Bill, there is no Load-Balancer on the machine. The machine is a simple webnode, where a loadbalancer sends requests to, which are then answered by the node - directly to the requesting client. This is done by simple iptable rules: root@xxx:/etc/network/if-pre-up.d# iptables -L -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- anywhere 185.55.25.xxx tcp dpt:http to:185.55.25.xxx:80 DNAT tcp -- anywhere 185.55.25.xxx tcp dpt:https to:185.55.25.xxx:443 it seems like f2b has trouble managing it's chains on my machine. The chains just vanish at some point. root@xxx:~# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination They seem to get lost - and afterwards I get the "already banned" entries in the log. Before the "already banned" problem - this seems to happen: 2016-04-06 08:53:19,351 fail2ban.filter [3526]: INFO [ssh] Found 146.0.77.xxx 2016-04-06 08:53:19,352 fail2ban.filter [3526]: INFO [sshd] Found 146.0.77.xxx 2016-04-06 08:53:19,577 fail2ban.filter [3526]: INFO [ssh] Found 146.0.77.xxx 2016-04-06 08:53:19,578 fail2ban.filter [3526]: INFO [sshd] Found 146.0.77.xxx 2016-04-06 08:53:21,608 fail2ban.filter [3526]: INFO [sshd] Found 146.0.77.xxx 2016-04-06 08:53:21,609 fail2ban.filter [3526]: INFO [ssh] Found 146.0.77.xxx 2016-04-06 08:53:21,731 fail2ban.actions [3526]: NOTICE [sshd] Ban 146.0.77.xxx 2016-04-06 08:53:21,836 fail2ban.action [3526]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-sshd[ \t]' -- stdout: '' 2016-04-06 08:53:21,836 fail2ban.action [3526]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-sshd[ \t]' -- stderr: '' 2016-04-06 08:53:21,836 fail2ban.action [3526]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-sshd[ \t]' -- returned 1 2016-04-06 08:53:21,836 fail2ban.CommandAction [3526]: ERROR Invariant check failed. Trying to restore a sane environment 2016-04-06 08:53:21,941 fail2ban.action [3526]: ERROR iptables -w -D INPUT -p tcp -m multiport --dports ssh -j f2b-sshd iptables -w -F f2b-sshd iptables -w -X f2b-sshd -- stdout: '' 2016-04-06 08:53:21,941 fail2ban.action [3526]: ERROR iptables -w -D INPUT -p tcp -m multiport --dports ssh -j f2b-sshd iptables -w -F f2b-sshd iptables -w -X f2b-sshd -- stderr: "iptables v1.4.21: Couldn't load target `f2b-sshd':No such file or directory\n\nTry `iptables -h' or 'iptables --help' for more information.\niptables: No chain/target/match by that name.\niptables: No chain/target/match by that name.\n" 2016-04-06 08:53:21,941 fail2ban.action [3526]: ERROR iptables -w -D INPUT -p tcp -m multiport --dports ssh -j f2b-sshd iptables -w -F f2b-sshd iptables -w -X f2b-sshd -- returned 1 2016-04-06 08:53:21,942 fail2ban.actions [3526]: ERROR Failed to execute ban jail 'sshd' action 'iptables-multiport' info 'CallingMap({'ipjailmatches': <function <lambda> at 0x7f3f3dfff938>, 'matches': u'Apr 6 08:53:19 bmn1 sshd[15131]: Invalid user ftpuser from 146.0.77.xxx\nApr 6 08:53:19 bmn1 sshd[15131]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=146.0.77.xxx \nApr 6 08:53:21 bmn1 sshd[15131]: Failed password for invalid user ftpuser from 146.0.77.xxx port 50352 ssh2', 'ip': '146.0.77.xxx', 'ipmatches': <function <lambda> at 0x7f3f3dfff848>, 'ipfailures': <function <lambda> at 0x7f3f3dfff7d0>, 'time': 1459925601.7313, 'failures': 3, 'ipjailfailures': <function <lambda> at 0x7f3f3dfff758>})': Error stopping action The "fail2ban.action" Errors seem to span all jails, so I guess there is something wrong going on here. My config in /etc/fail2ban/jail.local: # Fail2Ban configuration file. # # This file was composed for Debian systems from the original one # provided now under /usr/share/doc/fail2ban/examples/jail.conf # for additional examples. # # Comments: use '#' for comment lines and ';' for inline comments # # To avoid merges during upgrades DO NOT MODIFY THIS FILE # and rather provide your changes in /etc/fail2ban/jail.local # # The DEFAULT allows a global definition of the options. They can be overridden # in each jail afterwards. [DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1/8 185.55.25.119 # "bantime" is the number of seconds that a host is banned. bantime = 7200 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 600 maxretry = 3 # "backend" specifies the backend used to get files modification. # Available options are "pyinotify", "gamin", "polling" and "auto". # This option can be overridden in each jail as well. # # pyinotify: requires pyinotify (a file alteration monitor) to be installed. # If pyinotify is not installed, Fail2ban will use auto. # gamin: requires Gamin (a file alteration monitor) to be installed. # If Gamin is not installed, Fail2ban will use auto. # polling: uses a polling algorithm which does not require external libraries. # auto: will try to use the following backends, in order: # pyinotify, gamin, polling. backend = auto # "usedns" specifies if jails should trust hostnames in logs, # warn when reverse DNS lookups are performed, or ignore all hostnames in logs # # yes: if a hostname is encountered, a reverse DNS lookup will be performed. # warn: if a hostname is encountered, a reverse DNS lookup will be performed, # but it will be logged as a warning. # no: if a hostname is encountered, will not be used for banning, # but it will be logged as info. usedns = warn # # Destination email address used solely for the interpolations in # jail.{conf,local} configuration files. destemail = [email protected] # # Name of the sender for mta actions sendername = Fail2BanAlerts # # ACTIONS # # Default banning action (e.g. iptables, iptables-new, # iptables-multiport, shorewall, etc) It is used to define # action_* variables. Can be overridden globally or per # section within jail.local file banaction = iptables-multiport # email action. Since 0.8.1 upstream fail2ban uses sendmail # MTA for the mailing. Change mta configuration parameter to mail # if you want to revert to conventional 'mail'. mta = sendmail # Default protocol protocol = tcp # Specify chain where jumps would need to be added in iptables-* actions chain = INPUT # # Action shortcuts. To be used to define action parameter # The simplest action to take: ban only action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] # ban & send an e-mail with whois report to the destemail. action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s", sendername="%(sendername)s"] # ban & send an e-mail with whois report and relevant log lines # to the destemail. action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s", sendername="%(sendername)s"] # Choose default action. To change, just override value of 'action' with the # interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local # globally (section [DEFAULT]) or per specific section action = "" # # JAILS # # Next jails corresponds to the standard configuration in Fail2ban 0.6 which # was shipped in Debian. Enable any defined here jail by including # # [SECTION_NAME] # enabled = true # # in /etc/fail2ban/jail.local. # # Optionally you may override any other parameter (e.g. banaction, # action, port, logpath, etc) in that section within jail.local [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 6 [dropbear] enabled = false port = ssh filter = dropbear logpath = /var/log/auth.log maxretry = 6 # Generic filter for pam. Has to be used with action which bans all ports # such as iptables-allports, shorewall [pam-generic] enabled = false # pam-generic filter can be customized to monitor specific subset of 'tty's filter = pam-generic # port actually must be irrelevant but lets leave it all for some possible uses port = all banaction = iptables-allports port = anyport logpath = /var/log/auth.log maxretry = 6 [xinetd-fail] enabled = false filter = xinetd-fail port = all banaction = iptables-multiport-log logpath = /var/log/daemon.log maxretry = 2 [ssh-ddos] enabled = false port = ssh filter = sshd-ddos logpath = /var/log/auth.log maxretry = 6 # Here we use blackhole routes for not requiring any additional kernel support # to store large volumes of banned IPs [ssh-route] enabled = false filter = sshd action = "" logpath = /var/log/sshd.log maxretry = 6 # Here we use a combination of Netfilter/Iptables and IPsets # for storing large volumes of banned IPs # # IPset comes in two versions. See ipset -V for which one to use # requires the ipset package and kernel support. [ssh-iptables-ipset4] enabled = false port = ssh filter = sshd banaction = iptables-ipset-proto4 logpath = /var/log/sshd.log maxretry = 6 [ssh-iptables-ipset6] enabled = false port = ssh filter = sshd banaction = iptables-ipset-proto6 logpath = /var/log/sshd.log maxretry = 6 # # HTTP servers # [apache] enabled = true port = http,https filter = apache-auth logpath = /var/log/apache2/error.log maxretry = 5 findtime = 600 # default action is now multiport, so apache-multiport jail was left # for compatibility with previous (<0.7.6-2) releases [apache-multiport] enabled = false port = http,https filter = apache-auth logpath = /var/log/apache*/*error.log maxretry = 6 [apache-noscript] enabled = false port = http,https filter = apache-noscript logpath = /var/log/apache*/*error.log maxretry = 6 [apache-overflows] enabled = true port = http,https filter = apache-overflows logpath = /var/log/apache2/error.log maxretry = 2 [apache-badbots] enabled = true port = http,https filter = apache-badbots logpath = /var/log/apache2/error.log maxretry = 2 [apache-nohome] enabled = true port = http,https filter = apache-nohome logpath = /var/log/apache2/error.log maxretry = 2 [hn-apache-retry-ban] enabled = true port = http,https filter = hn-apache-retry-ban logpath = /var/log/apache2/access.log maxretry = 5 # Ban attackers that try to use PHP's URL-fopen() functionality # through GET/POST variables. - Experimental, with more than a year # of usage in production environments. [php-url-fopen] enabled = true port = http,https filter = php-url-fopen logpath = /var/log/apache*/*access.log # A simple PHP-fastcgi jail which works with lighttpd. # If you run a lighttpd server, then you probably will # find these kinds of messages in your error_log: # ALERT – tried to register forbidden variable ‘GLOBALS’ # through GET variables (attacker '1.2.3.4', file '/var/www/default/htdocs/index.php') [lighttpd-fastcgi] enabled = false port = http,https filter = lighttpd-fastcgi logpath = /var/log/lighttpd/error.log # Same as above for mod_auth # It catches wrong authentifications [lighttpd-auth] enabled = false port = http,https filter = suhosin logpath = /var/log/lighttpd/error.log [nginx-http-auth] enabled = false filter = nginx-http-auth port = http,https logpath = /var/log/nginx/error.log # Monitor roundcube server [roundcube-auth] enabled = false filter = roundcube-auth port = http,https logpath = /var/log/roundcube/userlogins [sogo-auth] enabled = false filter = sogo-auth port = http, https # without proxy this would be: # port = 20000 logpath = /var/log/sogo/sogo.log # # FTP servers # [vsftpd] enabled = false port = ftp,ftp-data,ftps,ftps-data filter = vsftpd logpath = /var/log/vsftpd.log # or overwrite it in jails.local to be # logpath = /var/log/auth.log # if you want to rely on PAM failed login attempts # vsftpd's failregex should match both of those formats maxretry = 6 [proftpd] enabled = false port = ftp,ftp-data,ftps,ftps-data filter = proftpd logpath = /var/log/proftpd/proftpd.log maxretry = 6 [pure-ftpd] enabled = false port = ftp,ftp-data,ftps,ftps-data filter = pure-ftpd logpath = /var/log/syslog maxretry = 6 [wuftpd] enabled = false port = ftp,ftp-data,ftps,ftps-data filter = wuftpd logpath = /var/log/syslog maxretry = 6 # # Mail servers # [postfix] enabled = false port = smtp,ssmtp,submission filter = postfix logpath = /var/log/mail.log [couriersmtp] enabled = false port = smtp,ssmtp,submission filter = couriersmtp logpath = /var/log/mail.log # # Mail servers authenticators: might be used for smtp,ftp,imap servers, so # all relevant ports get banned # [courierauth] enabled = false port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s filter = courierlogin logpath = /var/log/mail.log [sasl] enabled = false port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s filter = postfix-sasl # You might consider monitoring /var/log/mail.warn instead if you are # running postfix since it would provide the same log lines at the # "warn" level but overall at the smaller filesize. logpath = /var/log/mail.log [dovecot] enabled = false port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s filter = dovecot logpath = /var/log/mail.log # To log wrong MySQL access attempts add to /etc/my.cnf: # log-error=/var/log/mysqld.log # log-warning = 2 [mysqld-auth] enabled = false filter = mysqld-auth port = 3306 logpath = /var/log/mysqld.log # DNS Servers # These jails block attacks against named (bind9). By default, logging is off # with bind9 installation. You will need something like this: # # logging { # channel security_file { # file "/var/log/named/security.log" versions 3 size 30m; # severity dynamic; # print-time yes; # }; # category security { # security_file; # }; # }; # # in your named.conf to provide proper logging # !!! WARNING !!! # Since UDP is connection-less protocol, spoofing of IP and imitation # of illegal actions is way too simple. Thus enabling of this filter # might provide an easy way for implementing a DoS against a chosen # victim. See # http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html # Please DO NOT USE this jail unless you know what you are doing. #[named-refused-udp] # #enabled = false #port = domain,953 #protocol = udp #filter = named-refused #logpath = /var/log/named/security.log [named-refused-tcp] enabled = false port = domain,953 protocol = tcp filter = named-refused logpath = /var/log/named/security.log # Multiple jails, 1 per protocol, are necessary ATM: # see https://github.com/fail2ban/fail2ban/issues/37 [asterisk-tcp] enabled = false filter = asterisk port = 5060,5061 protocol = tcp logpath = /var/log/asterisk/messages [asterisk-udp] enabled = false filter = asterisk port = 5060,5061 protocol = udp logpath = /var/log/asterisk/messages # Jail for more extended banning of persistent abusers # !!! WARNING !!! # Make sure that your loglevel specified in fail2ban.conf/.local # is not at DEBUG level -- which might then cause fail2ban to fall into # an infinite loop constantly feeding itself with non-informative lines [recidive] enabled = false filter = recidive logpath = /var/log/fail2ban.log action = "" sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log] bantime = 604800 ; 1 week findtime = 86400 ; 1 day maxretry = 5 ################################################################## The Jail Actions are all "out of the box" except /etc/fail2ban/filter.d/hn-apache-retry-ban.conf [Definition] # Use this for "soft" bad behaviour, as the source will only be banned after multiple retries. failregex = ^<HOST> -.*"POST (/shop/downloader/index.php\?A=loggedin HTTP.*" 302|/shop/index.php/backend HTTP.*" 200|/shop/index.php/backend/index/.* HTTP.*" 200).*$ ignoreregex = This is meant to ban repeated faild login to Magento E-Commerce and the Downloader component. Thank you again for any hints concerning these trobles! Best regards, Alexander On 08.04.2016 04:20, Bill Shirley wrote:As far as I know, fail2ban never "reloads" the firewall rules. fail2ban just manages its chains. Perhaps there's something in the "load-balancer" doing this. You should list your action rules and jail. -> I have a startup script, that sets the Firewall NAT rules on every startup of the system in RC4. iptables defaults to -t filter which is what your including here. You should be using -t nat if you think it's changing the NAT rules. Bill On 4/7/2016 7:33 AM, Alexander R. Gruber wrote:Thank you Steve, for your answer. To your questions:How do you have the load balanced rules set? are they persistent in a file that is always run from server start up? |
------------------------------------------------------------------------------
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
