Re: [Fail2ban-users] Using fail2ban with nftables

Sun, 04 Dec 2022 03:10:06 -0800 

Hello André.
Question: are You having fail2ban running monitoring You're logfiles ? if, I wonder why You will use fail2ban-client! 

Back to Your response

Well I think You got something wrong here.


The 'set' command You're using in Your example are the fail2ban-client 
way of saying 'create' a line in the sshd-jail but it has nothing to do 
with nft sets and You'd also needed to give some more informations if 
the purpose was to have fail2ban unban these ip's after a given time.



I do not use fail2ban-client anymore since I went with fail2ban using 
nft - and that's a long time ago (more than a couple of years😀)



I do let fail2ban take care of what it does best namely checking my 
logfiles and banning the 'bad' ip's that it finds using it's rules (some 
standard and some made by me) all in the background.


I do have a script to manual insert of ip adresses in my own jail

'nft add rule inet manuel-stop INPUT ip saddr  $1 drop'


I use this when I find something (IP) that needs to be dropped for a 
long long time - I could also set the time to indefinite in my fail2ban 
jail, 'recidive'.



I will say that my rules in my nft ruleset consists of more that the 
fail2ban jails, but if You backup the rules, whenever You make any 
changes Yourself, to the nft startup file it will be read in again 
during start/stop - just like fail2ban keeps track of bans and during 
startup inserts the jails with the ip's in the nft list.



Fail2ban is running, monitoring Your logfiles and 'jails' the IP's that 
Your actions tells it too.


I am running a Rocky 8 and fail2ban v0.11.2

Well long answer, hopefully not confusing You too much

Chers,
Finn




Den 04-12-2022 kl. 07:19 skrev Andre Rodier:

Hello, Finn.

Maybe I have an issue with my version ?

Here what I have when I use fail2ban with nftables:

======================================================================
fail2ban-client set sshd banip 12.34.56.78
fail2ban-client set sshd banip 12.34.56.79
fail2ban-client set sshd banip 12.34.56.80

======================================================================

table inet filter {
   [...] (My custom rules)
}

Then, I see this:

table ip filter {
         chain f2b-sshd {
                 ip saddr 12.34.56.80 counter packets 0 bytes 0 reject
                 ip saddr 12.34.56.79 counter packets 0 bytes 0 reject
                 ip saddr 12.34.56.78 counter packets 0 bytes 0 reject
                 counter packets 94 bytes 6304 return
         }

         chain INPUT {
                 type filter hook input priority filter; policy accept;

                 meta l4proto tcp tcp dport 22 counter packets 94 bytes 
6304 jump f2b-sshd

         }
}

======================================================================

I am using Debian Bullseye

Kind regards,
André



On Saturday, December 03, 2022 23:34 GMT, fail2ban--- via Fail2ban-users 
<fail2ban-users@lists.sourceforge.net> wrote:  > Hi again André.


Sorry of course, sets needs to be created separately.


But fail2ban uses sets !! when more ip's are coming in it happens 
automatically.


example from my current nft list ruleset :

table inet f2b-table {
         set addr-set-spamdyke {
                 type ipv4_addr
                 elements = { 84.21.172.65, 191.37.160.60 }
         }


I have sets in all my 'jails' in all my fail2ban nft setups, that gets 
created when needed (nftables.conf) and depending on protocol the set 
is created as ipv4 or ipv6 ! (though I don't use ipv6 yet and 
therefore have no ipv6 sets).


Have I missed something - it's late here 😴

Cheers,
Finn







Den 03-12-2022 kl. 22:20 skrev Andre Rodier:

> On Sat, 2022-12-03 at 21:45 +0100, fail2ban--- via Fail2ban-users 
wrote:

>> Hi Andre.
>>
>> Why the distinguishing between ipv4 and ipv6 in our script when inet
>> sets up firewall for both in one line ? (the nice thing about nft)
>>
>> Regards,
>> Finn
> > Thanks for the question, Finn.

> > I use nftables sets to store the IP addresses, but even with 
nftables, I found no way to create a set that would contain

> both IPv4 and IPv6 addresses.
> > Kind regards,
> André
> >>
>> Den 03-12-2022 kl. 20:02 skrev Andre Rodier:
>>> Hello,
>>>

>>> I wanted to use fail2ban with nftables, and I was surprise by the 
tool, not really using nftables features, like

>>> sets,
>>> for instance.
>>>

>>> I had a look at the configuration, and I ended up using a simple 
wrapper script, to keep the configuration file

>>> readable.
>>>

>>> 
====================================================================================================================

>>> ====
>>> # Fail2Ban configuration file
>>> #
>>> # Author: Andre Rodier
>>> # fail2ban action using nftable sets
>>> #
>>>
>>> [INCLUDES]
>>>
>>>
>>> [Definition]
>>>
>>> # Option:  actionstart
>>> # Notes.:  command executed on demand at the first ban

>>> # (or at the start of Fail2Ban if actionstart_on_demand is set to 
false).

>>> # Values:  CMD
>>> #
>>> actionstart = /usr/local/sbin/fail2ban-nft-helper start '<name>'
>>>
>>> # Option:  actionstop

>>> # Notes.:  command executed at the stop of jail (or at the end of 
Fail2Ban)

>>> # Values:  CMD
>>> #

>>> actionstop = /usr/local/sbin/fail2ban-nft-helper stop '<name>' 
'<port>'

>>>
>>> # Option:  actioncheck
>>> # Notes.:  command executed once before each actionban command
>>> # Values:  CMD
>>> #

>>> actioncheck = /usr/local/sbin/fail2ban-nft-helper check '<name>' 
'<port>'

>>>
>>> # Option:  actionban
>>> # Notes.:  command executed when banning an IP. Take care that the
>>> #          command is executed with Fail2Ban user rights.
>>> # Tags:    See jail.conf(5) man page
>>> # Values:  CMD
>>> #

>>> actionban = /usr/local/sbin/fail2ban-nft-helper ban '<name>' 
'<ip>' '<blocktype>'

>>>
>>> # Option:  actionunban
>>> # Notes.:  command executed when unbanning an IP. Take care that the
>>> #          command is executed with Fail2Ban user rights.
>>> # Tags:    See jail.conf(5) man page
>>> # Values:  CMD
>>> #

>>> actionunban = /usr/local/sbin/fail2ban-nft-helper unban '<name>' 
'<ip>' '<blocktype>'

>>>
>>> [Init]

>>> 
====================================================================================================================

>>> ====
>>>
>>>
>>>

>>> Then, the script itself is using nftables features. It is simple 
and quickly written, but it is working:

>>>

>>> 
====================================================================================================================

>>> ====
>>> #!/bin/sh
>>> #
>>>
>>> action=$1
>>>
>>> if [ "$action" = "start" ]; then
>>>
>>>       name=$2
>>>
>>>       # Create the fail2ban filter if not existing,
>>>       # with a priority of -10 to run just before fitlers

>>>       nft 'add chain inet filter fail2ban { type filter hook input 
priority -10 ; }'

>>>

>>>       nft add set inet filter "f2b-${name}-ipv4" '{ type ipv4_addr 
; }'
>>>       nft add set inet filter "f2b-${name}-ipv6" '{ type ipv6_addr 
; }'

>>>

>>>       nft inet filter fail2ban ip saddr "@f2b-${name}-ipv4" 
counter reject
>>>       nft inet filter fail2ban ip6 saddr "@f2b-${name}-ipv6" 
counter reject

>>>
>>>       exit
>>> fi
>>>
>>> if [ "$action" = "stop" ]; then
>>>
>>>       name=$2
>>>       port=$3
>>>

>>>       ipv4_handle=$(nft -a list ruleset | sed -En 
"s/.*@f2b-${name}-ipv4.*handle ([0-9]+)/\\1/p")
>>>       ipv6_handle=$(nft -a list ruleset | sed -En 
"s/.*@f2b-${name}-ipv6.*handle ([0-9]+)/\\1/p")

>>>
>>>       if [ "$ipv4_handle" != "" ]; then
>>>           nft delete rule inet filter fail2ban handle "$ipv4_handle"
>>>       elif [ "$ipv6_handle" != "" ]; then
>>>           nft delete rule inet filter fail2ban handle "$ipv6_handle"
>>>       else
>>>           echo "$0: rule handle not found for '$name'."
>>>       fi
>>>
>>>       exit
>>> fi
>>>
>>> if [ "$action" = "check" ]; then
>>>
>>>       name=$2
>>>       port=$3
>>>
>>>       nft list set inet filter "f2b-$name-ipv4"
>>>       nft list set inet filter "f2b-$name-ipv6"
>>>
>>>       exit
>>> fi
>>>
>>> if [ "$action" = "ban" ]; then
>>>
>>>       name=$2
>>>       ip=$3
>>>       type=$4
>>>

>>>       if echo "$ip" | grep -P 
'^((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}$'; then

>>>           nft add element inet filter "f2b-$name-ipv4" "{ $ip }"
>>>       else
>>>           nft add element inet filter "f2b-$name-ipv6" "{ $ip }"
>>>       fi
>>>
>>>       exit
>>> fi
>>>
>>> if [ "$action" = "unban" ]; then
>>>
>>>       name=$2
>>>       ip=$3
>>>       type=$4
>>>

>>>       if echo "$ip" | grep -P 
'^((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}$'; then

>>>           nft delete element inet filter "f2b-$name-ipv4" "{ $ip }"
>>>       else
>>>           nft delete element inet filter "f2b-$name-ipv6" "{ $ip }"
>>>       fi
>>>
>>>       exit
>>> fi
>>>

>>> 
====================================================================================================================

>>> ====
>>>
>>> Any thought or remark ?
>>>
>>> Kind regards,
>>> André
>>>
>>>
>>>
>>> _______________________________________________
>>> Fail2ban-users mailing list
>>> Fail2ban-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>>
> > > > > _______________________________________________
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users

--

"After sleeping through a hundred million centuries we have finally 
opened our eyes on a sumptuous planet, sparkling with color, bountiful 
with life. Within decades we must close our eyes again. Isn't it a 
noble, an enlightened way of spending our brief time in the sun, to 
work at understanding the universe and how we have come to wake up in 
it?"

[- Professor Richard Dawkins]


_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


--

"After sleeping through a hundred million centuries we have finally 
opened our eyes on a sumptuous planet, sparkling with color, bountiful 
with life. Within decades we must close our eyes again. Isn't it a 
noble, an enlightened way of spending our brief time in the sun, to work 
at understanding the universe and how we have come to wake up in it?"

[- Professor Richard Dawkins]


_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users






















					Reply via email to