I have my on method of interfacing fail2ban and Shorewall; it uses ipsets:
Ban by IP address - /etc/fail2ban/action.d/my_ipset_ip.conf:
[INCLUDES]
before = iptables-blocktype.conf
[Definition]
actioncheck =
actionstart =
actionstop =
actionban = ipset -exist add fail2ban-<name> <ip> timeout <my_timeout>
actionunban = ipset -exist del fail2ban-<name> <ip>
actionunban =
[Init]
name = IPv4-ip
my_timeout = 0
Ban by IP address and port - /etc/fail2ban/action.d/my_ipset_ipport.conf:
[INCLUDES]
before = iptables-blocktype.conf
[Definition]
actioncheck =
actionstart =
actionstop =
actionban = ipset -exist add fail2ban-<name> <ip>,<protocol>:<port> timeout
<my_timeout>
actionunban = ipset -exist del fail2ban-<name> <ip>,<protocol>:<port>
actionunban =
[Init]
name = IPv4-port
port = http
protocol = tcp
my_timeout = 0
To ban multiple ports, I created symlinks for 2, 3, and 4. fail2ban wouldn't
repeat
and action with the same name in the same defined fail.
[0:root@elmo action.d]$ ls -l my_ipset_ip*
-rw-r--r--. 1 root root 315 Mar 28 2017 my_ipset_ip.conf
lrwxrwxrwx. 1 root root 20 Jul 23 2015 my_ipset_ipport2.conf ->
my_ipset_ipport.conf
lrwxrwxrwx. 1 root root 20 Jul 23 2015 my_ipset_ipport3.conf ->
my_ipset_ipport.conf
lrwxrwxrwx. 1 root root 20 Jul 23 2015 my_ipset_ipport4.conf ->
my_ipset_ipport.conf
-rw-r--r--. 1 root root 380 Mar 28 2017 my_ipset_ipport.conf
The following jail bans by IP address and port. This allows users to still get
access
to other services (IMAP, POP3, http, https) even though they're banned from
postfix.
jail.local:
[postfix-sasl]
#enabled = false
enabled = true
filter = postfix-sasl
action = my_ipset_ipport[port=smtp]
my_ipset_ipport2[port=smtps]
my_ipset_ipport3[port=submission]
logpath = /var/log/maillog
maxretry = 3
bantime = 600
findtime = 7200
and your long one:
[postfix-sasl-long]
#enabled = false
enabled = true
filter = postfix-sasl
action = my_ipset_ipport[name=IPv4-port-long, port=smtp]
my_ipset_ipport2[name=IPv4-port-long, port=smtps]
my_ipset_ipport3[name=IPv4-port-long, port=submission]
logpath = /var/log/maillog
maxretry = 10
bantime = 86400
findtime = 432000
/etc/shorewall/init:
# ipset for ban by IP address
ipset -exist create fail2ban-IPv4-ip hash:ip timeout 86400
# ipset for ban by IP address and port
ipset -exist create fail2ban-IPv4-port hash:ip,port timeout 86400
# you'll want one with a different one for long bans:
ipset -exist create fail2ban-IPv4-port-long hash:ip,port timeout 86400
Right after '?SECTION NEW' in /etc/shorewall/rules:
?COMMENT flagged by fail2ban
DROP net:+fail2ban-IPv4-ip[src] fw
DROP net:+fail2ban-IPv4-port[src,dst] fw
# you'll want one with a different one for long bans:
DROP net:+fail2ban-IPv4-port-long[src,dst] fw
Bill
On 10/29/2017 12:48 PM, Tom Hendrikx wrote:
Hi,
you [problem is shorewall.
The shorewall block method only takes a single input: the ip address. It
is not able to differ between multiple jails (unlike f.i. iptables).
That means that when 187.178.172.36 connects, it is probable banned by
postfix-sasl after a few times. After a short while it is unbenned, and
promptly returns. After a few times of baning/unbanning by postfix-sasl,
it will also be banned by postfix-sasl-long. Now the address is banned
by 2 jails.
Then it is unbanned again by postfix-sasl, and thus removed from the
shorewall blacklist. Fail2ban thinks that postfix-sasl-long is still
banning this, but shorewall doesn't block it. Now the address can keep
coming back and fail2ban won't block it again.
Shorewall is a dumb jail, don't use it when you want to do sophisticated
things like short and long blocks for the same port, or f.i. using
recidive jail.
Kind regards,
Tom
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
