Re: [Fail2ban-users] How to implement ban using ipset

[Bill Shirley]

At the bottom of /etc/fail2ban/action.d/iptables-ipset-proto6.conf:
[Init]

# Option: default-timeout
# Notes:  specifies default timeout in seconds (handled default ipset timeout 
only)
# Values:  [ NUM ]  Default: 600

default-timeout = 600

ipmset = f2b-<name>
familyopt =


[Init?family=inet6]

ipmset = f2b-<name>6
familyopt = <sp>family inet6

<name> comes from your jail:
banaction = iptables-ipset-proto6
I'm surprised it doesn't have the name param: banaction = 
iptables-ipset-proto6[name=something]

The two come together to create the ipset name.  Have a look at your ipsets 
names:
ipset -L | grep -e Name
Any fail2ban ipsets will be prefixed with 'f2b-'. Make sure csf or iptables is 
utilizing the ipset.

Bill

On 9/2/2020 1:17 PM, Phillip Carroll wrote:

On 9/2/2020 5:43 AM, Phillip Carroll wrote:

On 9/1/2020 6:04 PM, Richard Shaw wrote:

On Tue, Sep 1, 2020 at 7:45 PM Phillip Carroll <domainmana...@enablingsimplicity.com <mailto:domainmana...@enablingsimplicity.com>> wrote:

    I have been using csf/lfd as my firewall for several years on several
    versions of CentOS, currently CentOS7. I am using several ipset-managed
    blocklists supported directly by csf. Some of these are fairly huge
    (such as whole country blocks), and it changes them in fractions of a
    second. Very happy with everything it does.

    However, csf syntax for custom regex applied to logs is relatively
    clumsy and error-prone so I have installed fail2ban in hopes of using
    that for custom log-based bans.

    For my initial testing I have set up one jail and a corresponding
    filters. (I found that all very simple.)

    My intent:
    On filter matches, immediately ban the host IP for one full day. Use
    ipset to implement the bans.

    The test case basically watches my exim reject.log (using inotify) and
    unerringly finds the naughty hosts I want to ban.

    My setup:
    jail.local has:

     > [exim-reject]
     > mode      = normal
     > port      = smtp,ssmtp
     > logpath   = /var/log/exim/reject.log
     > filter    = exim-reject
     > maxmatches = 1
     > maxretry   = 1
     > backend   = auto
     > bantime   = 1d
     > banaction = iptables-ipset-proto6
     > enabled   = true

    And exim-reject.conf contains:

     > [INCLUDES]
     > before = exim-common.conf
     > [Definition]
     > failregex = <HOST> is listed at zen.spamhaus.org
    <http://zen.spamhaus.org>
     >             \[<HOST>\]:25 dropped: too many syntax or protocol errors

    The contents of fail2ban.log indicates everything is working. It
    says it
    found the lines I expected it to find, and has issued bans (and
    unbans a
    day later).

    However, when I list the ipset sets on the console, the only sets
    listed
    are those managed by csf. Clearly I have implemented something
    incorrectly. I am hoping somebody on the list can set me straight.
    Is it
    possibly a permissions problem?

That quite a bit more complex installation than I use so can't help you there, but fail2ban version and source (EPEL, self install, etc) would be helpful.

Thanks,
Richard

@Richard,

This server has only prebuilt packages from the standard repos, managed using 
yum. It is a pretty typical headless server.

I don't use selinux because of conflicts with the ISP provided kernel. (Linode)

 From yum list installed:

fail2ban.noarch 0.11.1-9.el7.2             @epel fail2ban-server.noarch 0.11.1-9.el7.2             @epel ipset.x86_64 7.1-1.el7                  @base ipset-libs.x86_64 7.1-1.el7                  @base iptables.x86_64 1.4.21-34.el7              @base iptables-services.x86_64 1.4.21-34.el7              @base

Phil


_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

I turned on DEBUG and restarted fail2ban.  Following is the result in 
fail2ban.log.

The difficulty I have is understanding the content of the scripting macros used in the various commands at the time the commands are issued.  For instance, what does "<ipmset>" contain at the time of the ipset create command?  The log would appear to indicate the scripting is such that values are used before they are defined. After the create, I see the value set as 'f2b-<name>' which is dependent on the value of <name> which is set on a subsequent set command as 'exim-reject'.

If this order is the actual sequence it would explain the fact that the set f2b-exim-reject' does not exist after the restart of fail2ban.

However, perhaps I just don't understand the inner workings.

The log:

2020-09-02 08:34:17,939 fail2ban.server         [4077]: INFO    Reload all jails
2020-09-02 08:34:17,939 fail2ban.server         [4077]: INFO Reload jail 
'exim-reject'
2020-09-02 08:34:17,940 fail2ban.filter         [4077]: DEBUG Setting usedns = 
warn for FilterPyinotify(Jail('exim-reject'))
2020-09-02 08:34:17,940 fail2ban.server         [4077]: DEBUG     failregex: 
'<HOST> is listed at zen.spamhaus.org'

2020-09-02 08:34:17,940 fail2ban.server         [4077]: DEBUG     failregex: '\\[<HOST>\\]:25 dropped: too many syntax or protocol errors'

2020-09-02 08:34:17,940 fail2ban.filter         [4077]: INFO      maxRetry: 1
2020-09-02 08:34:17,940 fail2ban.filter         [4077]: INFO      encoding: 
UTF-8
2020-09-02 08:34:17,940 fail2ban.filter         [4077]: INFO      findtime: 600
2020-09-02 08:34:17,940 fail2ban.actions        [4077]: INFO      banTime: 86400
2020-09-02 08:34:17,941 fail2ban.CommandAction  [4077]: DEBUG Created <class 
'fail2ban.server.action.CommandAction'>
2020-09-02 08:34:17,941 fail2ban.CommandAction  [4077]: DEBUG     Set actionunban = 'ipset 
del <ipmset> <ip> -exist'
2020-09-02 08:34:17,941 fail2ban.CommandAction  [4077]: DEBUG     Set actionflush = 
'ipset flush <ipmset>'

2020-09-02 08:34:17,941 fail2ban.CommandAction  [4077]: DEBUG     Set actionstop = '<iptables> -D INPUT -p tcp -m multiport --dports smtp,ssmtp -m set --match-set <ipmset> src -j <blocktype>\nipset flush <ipmset>\nipset destroy <ipmset>' 2020-09-02 08:34:17,941 fail2ban.CommandAction  [4077]: DEBUG     Set actionstart = 'ipset create <ipmset> hash:ip timeout 600<familyopt>\n<iptables> -I INPUT -p tcp -m multiport --dports smtp,ssmtp -m set --match-set <ipmset> src -j <blocktype>' 2020-09-02 08:34:17,941 fail2ban.CommandAction  [4077]: DEBUG     Set actionprolong = 'ipset add <ipmset> <ip> timeout <bantime> -exist' 2020-09-02 08:34:17,941 fail2ban.CommandAction  [4077]: DEBUG     Set actionban = 'ipset add <ipmset> <ip> timeout <bantime> -exist'

2020-09-02 08:34:17,941 fail2ban.CommandAction  [4077]: DEBUG     Set protocol 
= 'tcp'
2020-09-02 08:34:17,941 fail2ban.CommandAction  [4077]: DEBUG     Set chain = 
'<known/chain>'
2020-09-02 08:34:17,941 fail2ban.CommandAction  [4077]: DEBUG     Set 
lockingopt = '-w'
2020-09-02 08:34:17,941 fail2ban.CommandAction  [4077]: DEBUG     Set ipmset = 
'f2b-<name>'
2020-09-02 08:34:17,941 fail2ban.CommandAction  [4077]: DEBUG     Set blocktype 
= 'REJECT --reject-with icmp-port-unreachable'
2020-09-02 08:34:17,942 fail2ban.CommandAction  [4077]: DEBUG     Set 
default-timeout = '600'

2020-09-02 08:34:17,942 fail2ban.CommandAction  [4077]: DEBUG     Set blocktype?family=inet6 = 'REJECT --reject-with icmp6-port-unreachable'

2020-09-02 08:34:17,942 fail2ban.CommandAction  [4077]: DEBUG     Set port = 
'smtp,ssmtp'
2020-09-02 08:34:17,942 fail2ban.CommandAction  [4077]: DEBUG     Set actname = 
'iptables-ipset-proto6'
2020-09-02 08:34:17,942 fail2ban.CommandAction  [4077]: DEBUG     Set iptables = 
'iptables <lockingopt>'
2020-09-02 08:34:17,942 fail2ban.CommandAction  [4077]: DEBUG     Set 
familyopt?family=inet6 = '<sp>family inet6'
2020-09-02 08:34:17,942 fail2ban.CommandAction  [4077]: DEBUG     Set familyopt 
= ''
2020-09-02 08:34:17,942 fail2ban.CommandAction  [4077]: DEBUG     Set 
returntype = 'RETURN'
2020-09-02 08:34:17,942 fail2ban.CommandAction  [4077]: DEBUG     Set 
ipmset?family=inet6 = 'f2b-<name>6'
2020-09-02 08:34:17,942 fail2ban.CommandAction  [4077]: DEBUG     Set 
iptables?family=inet6 = 'ip6tables <lockingopt>'
2020-09-02 08:34:17,942 fail2ban.CommandAction  [4077]: DEBUG     Set name = 
'exim-reject'
2020-09-02 08:34:17,942 fail2ban.server         [4077]: INFO Jail 'exim-reject' 
reloaded
2020-09-02 08:34:17,943 fail2ban.actions        [4077]: NOTICE [exim-reject] 
Flush ticket(s) with iptables-ipset-proto6
2020-09-02 08:34:17,943 fail2ban.actions        [4077]: DEBUG     Unbanned 7, 7 
ticket(s) in 'exim-reject'
2020-09-02 08:34:17,943 fail2ban.actions        [4077]: DEBUG exim-reject: 
action iptables-ipset-proto6 terminated
2020-09-02 08:34:17,943 fail2ban.server         [4077]: INFO Reload finished.

_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users