Am 07.07.2020 um 15:22 schrieb Yassine Chaouche:
>
> Thank you Peter, that was much appreciated.
>
> Maybe the problem comes from the shorewall action I am using, which
> isn't as feature-rich as the iptables action. Compare :
>
> root@messagerie[10.10.10.19] ~ # removeblanks
> /etc/fail2ban/action.d/iptables.conf
> [INCLUDES]
> before = iptables-blocktype.conf
> [Definition]
> actionstart = iptables -N fail2ban-<name>
> iptables -A fail2ban-<name> -j RETURN
> iptables -I <chain> -p <protocol> --dport <port> -j
> fail2ban-<name>
> actionstop = iptables -D <chain> -p <protocol> --dport <port> -j
> fail2ban-<name>
> iptables -F fail2ban-<name>
> iptables -X fail2ban-<name>
> actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
> actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
> actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>
> [Init]
> name = default
> port = ssh
> protocol = tcp
> chain = INPUT
> root@messagerie[10.10.10.19] ~ # removeblanks
> /etc/fail2ban/action.d/shorewall.conf
> [Definition]
> actionstart =
> actionstop =
> actioncheck =
> actionban = shorewall <blocktype> <ip>
> actionunban = shorewall allow <ip>
> [Init]
> blocktype = reject
> root@messagerie[10.10.10.19] ~ #
>
>
So if your shorewall config run fine mostly, think about let the most
jails using shorewall and run only 2 jails within iptables directly.
first one is recidive, second one i recomment is ip-blacklist-net
good idea is to run NOT with INPUT as chain. Better i think is to create
a chain maybe INPUT_F2B and setup this in your default firewall.
In your default firewall you create this chain INPUT_F2B which contains
a RETURN rule only
sames as fail2ban with the
iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
rules does. i.e.
iptables -N INPUT_F2B
iptables -A INPUT_F2B -j RETURN
then insert a jump in INPUT chain to INPUT_F2B and modify chain=INPUT to
chain=INPUT_F2B (in newer fail2ban see iptables-common.conf, where
chain=xxxx config is )
Of course make a copy renamed xxxx.local of all files and change within
these files !
Advantage is in sophisticated setups. Usualy fail2ban creates a new
chain ( named f2b-<name> or fail2ban-<name> in your case ) and insert a
jump to this chain at fist position in INPUT chain. However in my setup
i expect to run some rules before the fail2ban rules. I.e. to accept
local loop-back interfaces (127.0.0.1) first, accept IP packets
belonging to some privileged ip addresses ( another server i maintain ),
to ensure access to server even fail2ban goes wild. Third is to use log
feature of iptables for some ports (rate limited of course) for some
"honeypot" ports. in my case telnet port 23. I don't run any telnet
daemon on my servers, but access to port 23 is droped and logged, like
some other ports. Because log can be rate limited to some few every
minute, there is no danger of DOS attack. Nobody has a right to try
telnet on my server, so i can trigger a rule, which closes all ports for
a small time.
That hides some useful ports ( like ssh moved to a lot above of 1024 )
from a portscan sometimes, because often ports < 1024 are scanned first.
However thats also a good honeypot. Currently telnet has triggered for
about 750 ip addresses since 30th June 2020 ( if you want to see
yourself: https://heirich.name/report/hacker2_woche.html sorry, runs in
german tranlation mode, because i'm native german )
Therefore i have jump from INPUT to INPUT_F2B as later entry in INPUT
chain and let fail2ban do the work within a special chain INPUT_F2B.
Addional: i recomment ip-blacklist-net which i maintain currently
manualy. Chain blocks a whole network /24 in case IPv4 and /64 in case
of IPv6 for 366d
It's a simple textfile
# version: [07/07/2020 00:00:00]
[06/07/2020 09:39:00] 2002:c6cc:e172::c6cc:e172
[07/07/2020 20:11:32] 180.149.126.1
I've setup these as a logfile, but currently the only one who is making
entries is me :-). Using a special action fail2ban creates bans for
whole networks. Format of date btw. is dd/mm/yyyy.
--------------------------- snip ---------------------------
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = <iptables> -I <iipmset> 1 -s <ip>/<cidr> -j <blocktype>
<iptables> -I <oipmset> 1 -d <ip>/<cidr> -j <blocktype>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = <iptables> -D <iipmset> -s <ip>/<cidr> -j <blocktype>
<iptables> -D <oipmset> -d <ip>/<cidr> -j <blocktype>
[Init]
protocol = all
iipmset = f2ki-<name>
oipmset = f2ko-<name>
# remember: ouput_f2k and input_f2k is part of the firewall and this
chain is designed as a ip-address only chain
# should does not contain any port defines
ichain = input_f2k
ochain = output_f2k
familyopt =
cidr = 24
[Init?family=inet6]
protocol = all
iipmset = f2ki-<name>6
oipmset = f2ko-<name>6
ichain = input_f2k
ochain = output_f2k
familyopt = <sp>family inet6
cidr = 64
------------------------------------- snap
---------------------------------------------------------
note: this action is useless in a default setup, because it handles
different jails for input output, but the use of
iptables ..... -s <ip>/<cidr>
should be clear. Assigned during init cidr=24 or cidr=64 is used.
But that is made for 0.11.2 which handels IPv6 also. OK end sidekick to
current fail2ban. I've appended OLD modified version of
iptables-allports.conf
Should be used in jail definition like
[ip-blacklist-net]
enabled = true
action = iptables-allports[chain="INPUT", name="ip-blacknet",
protocol="all", cidr="24", blocktype="DROP"]
filter = ip-blacklist
logpath = /etc/fail2ban/ip-blacklist-net
maxretry = 1
findtime = 8553600
bantime = 8553600
It's from a system running plesk onyx, but plesk fails to update there
to plesk obsidian (with newer fail2ban). However, because i will change
this system next time from Centos6 to Centos8 , i'm not updating
fail2ban, which is part of plesk and ugly old too.
Greetings
Peter
# Fail2Ban filter tries to detect:
# login via telnet on port 23, but there isn't any telnet deamon
# access to directadmin port 2222, but there isn't any
# access to Xbox Live port 3074, but there isn't any
#
#
[INCLUDES]
before = PKT-common.conf
[Definition]
# Apr 1 17:53:17 austria136 kernel: MYFW-INlog-DROP-DEFLT IN=eth0 OUT=
MAC=00:19:99:a4:13:41:5c:5e:ab:7e:40:81:08:00 SRC=91.203.239.222
DST=217.172.186.11 LEN=40 TOS=0x
# PROTO=TCP SPT=34632 DPT=23 WINDOW=14600 RES=0x00 SYN URGP=0
failregex = ^%(__pkt_in4_prefix_line)s IN=\S* OUT=\S* MAC=\S+
(TUNNEL=\S+\s*)?SRC=<HOST> DST=\S+ LEN=\d+ TOS=\S* PREC=\S* TTL=\d+ ID=\S+
PROTO=TCP SPT=\S+ DPT=23 WINDOW=
^%(__pkt_in6_prefix_line)s IN=\S* OUT=\S* MAC=\S+
(TUNNEL=\S+\s*)?SRC=<HOST> DST=\S+ LEN=\d+ TC=\S* HOPLIMIT=\d+ FLOWLBL=\d+
PROTO=TCP SPT=\S+ DPT=23 WINDOW=
ignoreregex =
# DEV Notes:
#
# example ( logged by the kernel ):
#
# Apr 1 17:53:17 austria136 kernel: MYFW-INlog-DROP-DEFLT IN=eth0 OUT=
MAC=00:19:99:a4:13:41:5c:5e:ab:7e:40:81:08:00 SRC=91.203.239.222
DST=217.172.186.11 LEN=40
# TOS=0x00 PREC=0x00 TTL=245 ID=2722 PROTO=TCP SPT=34632 DPT=23 WINDOW=14600
RES=0x00 SYN URGP=0
#
# Apr 2 03:32:27 austria136 kernel: MYFW-INlog-DROP-DEFLT IN=eth0 OUT=
MAC=00:19:99:a4:13:41:b0:c6:9a:67:d6:81:08:00 SRC=121.54.169.35
DST=217.172.186.11 LEN=52
# TOS=0x08 PREC=0x40 TTL=95 ID=256 PROTO=TCP SPT=6000 DPT=3074 WINDOW=63443
RES=0x00 SYN URGP=0 OPT (020402180103030201010402)
#
# Apr 2 19:25:45 austria136 kernel: M6FW-INlog-DROP-DEFLT IN=sit1 OUT=
MAC=00:19:99:a4:13:41:b0:c6:9a:67:d6:81:08:00:45:00:00:64:e7:d6:40:00:f8:29:da:74:d8:42:54:2a:d9:
# TUNNEL=216.66.84.42->217.172.186.11
SRC=2001:0470:702b:0000:f741:3955:6972:6290
DST=2001:0470:1f13:107e:0000:0000:1001:1001 LEN=80
# TC=0 HOPLIMIT=249 FLOWLBL=672608 PROTO=TCP SPT=39018 DPT=23 WINDOW=28240
RES=0x00 SYN URGP=0 OPT (020405840402080A905D19700000000001030307)
#
# Author: Peter Heirich
1Hilfe 2ZeilUm 3Beend 4Hex 5Zeile
6 7Suchen 8Roh 9Format 10Beend
[root] 0:bash- 1:mc*
"root@austria136:/etc/f" 16:44
07-Jul-20#
# Format der sperrdatei:
#
##Version: [08/04/2017 00:00:00]
#[29/12/2013 12:00:00] 5.9.152.104
#[30/12/2013 12:00:00] 116.45.98.4
[Definition]
# Option: failregex
# Notes : Detection of blocked ip addresses.
# Values: TEXT
#
failregex = ^\[.*\] <HOST>
<------> ^\d{2}/\d{2}/\d{2,4}[: ]\d{2}:\d{2}:\d{2} <HOST>
# Option: ignoreregex
# Notes : Regex to ignore.
# Values: TEXT
#
ignoreregex = <>^#.*$
<------><------>^[:space:]+#.*$
# Author: Peter Heirich
#
# note: after entry done manualy change first line ( #Version ... )
# this causes detection of change log event and re-read by fail2ban
#
# default mode is to add entries from a .cgi script, then because
# file expands in size re-read is done without changeing first line
#.
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified: Yaroslav O. Halchenko <deb...@onerussian.com>
# made active on all ports from original iptables.conf
#
#
[INCLUDES]
before = iptables-common.conf
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = <iptables> -N f2b-<name>
<iptables> -A f2b-<name> -j <returntype>
<iptables> -I <chain> -p <protocol> -j f2b-<name>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = <iptables> -D <chain> -p <protocol> -j f2b-<name>
<iptables> -F f2b-<name>
<iptables> -X f2b-<name>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = <iptables> -I f2b-<name> 1 -s <ip>/<cidr> -j <blocktype>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = <iptables> -D f2b-<name> -s <ip>/<cidr> -j <blocktype>
[Init]
cidr = 32
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
