Re: [Fail2ban-users] How to implement ban using ipset

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On 9/1/2020 6:04 PM, Richard Shaw wrote:
> On Tue, Sep 1, 2020 at 7:45 PM Phillip Carroll 
> <dom...@en... 
> <mailto:dom...@en...>> wrote:
> 
>     I have been using csf/lfd as my firewall for several years on several
>     versions of CentOS, currently CentOS7. I am using several ipset-managed
>     blocklists supported directly by csf. Some of these are fairly huge
>     (such as whole country blocks), and it changes them in fractions of a
>     second. Very happy with everything it does.
> 
>     However, csf syntax for custom regex applied to logs is relatively
>     clumsy and error-prone so I have installed fail2ban in hopes of using
>     that for custom log-based bans.
> 
>     For my initial testing I have set up one jail and a corresponding
>     filters. (I found that all very simple.)
> 
>     My intent:
>     On filter matches, immediately ban the host IP for one full day. Use
>     ipset to implement the bans.
> 
>     The test case basically watches my exim reject.log (using inotify) and
>     unerringly finds the naughty hosts I want to ban.
> 
>     My setup:
>     jail.local has:
> 
>      > [exim-reject]
>      > mode      = normal
>      > port      = smtp,ssmtp
>      > logpath   = /var/log/exim/reject.log
>      > filter    = exim-reject
>      > maxmatches = 1
>      > maxretry   = 1
>      > backend   = auto
>      > bantime   = 1d
>      > banaction = iptables-ipset-proto6
>      > enabled   = true
> 
>     And exim-reject.conf contains:
> 
>      > [INCLUDES]
>      > before = exim-common.conf
>      > [Definition]
>      > failregex = <HOST> is listed at zen.spamhaus.org
>     <http://zen.spamhaus.org>
>      >             \[<HOST>\]:25 dropped: too many syntax or protocol errors
> 
>     The contents of fail2ban.log indicates everything is working. It
>     says it
>     found the lines I expected it to find, and has issued bans (and
>     unbans a
>     day later).
> 
>     However, when I list the ipset sets on the console, the only sets
>     listed
>     are those managed by csf. Clearly I have implemented something
>     incorrectly. I am hoping somebody on the list can set me straight.
>     Is it
>     possibly a permissions problem?
> 
> 
> That quite a bit more complex installation than I use so can't help you 
> there, but fail2ban version and source (EPEL, self install, etc) would 
> be helpful.
> 
> Thanks,
> Richard

@Richard,

This server has only prebuilt packages from the standard repos, managed 
using yum. It is a pretty typical headless server.

I don't use selinux because of conflicts with the ISP provided kernel. 
(Linode)

 From yum list installed:
> fail2ban.noarch                       0.11.1-9.el7.2             @epel          
> fail2ban-server.noarch                0.11.1-9.el7.2             @epel          
> ipset.x86_64                          7.1-1.el7                  @base          
> ipset-libs.x86_64                     7.1-1.el7                  @base          
> iptables.x86_64                       1.4.21-34.el7              @base          
> iptables-services.x86_64              1.4.21-34.el7              @base          

Phil