Menu
▾
▴
Re: [Fail2ban-users] How to implement ban using ipset
|
From: Phillip C. <dom...@en...> - 2020-09-02 17:18:10
|
On 9/2/2020 5:43 AM, Phillip Carroll wrote: > On 9/1/2020 6:04 PM, Richard Shaw wrote: >> On Tue, Sep 1, 2020 at 7:45 PM Phillip Carroll >> <dom...@en... >> <mailto:dom...@en...>> wrote: >> >> I have been using csf/lfd as my firewall for several years on several >> versions of CentOS, currently CentOS7. I am using several >> ipset-managed >> blocklists supported directly by csf. Some of these are fairly huge >> (such as whole country blocks), and it changes them in fractions of a >> second. Very happy with everything it does. >> >> However, csf syntax for custom regex applied to logs is relatively >> clumsy and error-prone so I have installed fail2ban in hopes of using >> that for custom log-based bans. >> >> For my initial testing I have set up one jail and a corresponding >> filters. (I found that all very simple.) >> >> My intent: >> On filter matches, immediately ban the host IP for one full day. Use >> ipset to implement the bans. >> >> The test case basically watches my exim reject.log (using inotify) >> and >> unerringly finds the naughty hosts I want to ban. >> >> My setup: >> jail.local has: >> >> > [exim-reject] >> > mode = normal >> > port = smtp,ssmtp >> > logpath = /var/log/exim/reject.log >> > filter = exim-reject >> > maxmatches = 1 >> > maxretry = 1 >> > backend = auto >> > bantime = 1d >> > banaction = iptables-ipset-proto6 >> > enabled = true >> >> And exim-reject.conf contains: >> >> > [INCLUDES] >> > before = exim-common.conf >> > [Definition] >> > failregex = <HOST> is listed at zen.spamhaus.org >> <http://zen.spamhaus.org> >> > \[<HOST>\]:25 dropped: too many syntax or protocol >> errors >> >> The contents of fail2ban.log indicates everything is working. It >> says it >> found the lines I expected it to find, and has issued bans (and >> unbans a >> day later). >> >> However, when I list the ipset sets on the console, the only sets >> listed >> are those managed by csf. Clearly I have implemented something >> incorrectly. I am hoping somebody on the list can set me straight. >> Is it >> possibly a permissions problem? >> >> >> That quite a bit more complex installation than I use so can't help >> you there, but fail2ban version and source (EPEL, self install, etc) >> would be helpful. >> >> Thanks, >> Richard > > @Richard, > > This server has only prebuilt packages from the standard repos, managed > using yum. It is a pretty typical headless server. > > I don't use selinux because of conflicts with the ISP provided kernel. > (Linode) > > From yum list installed: >> fail2ban.noarch 0.11.1-9.el7.2 @epel >> fail2ban-server.noarch 0.11.1-9.el7.2 @epel >> ipset.x86_64 7.1-1.el7 @base >> ipset-libs.x86_64 7.1-1.el7 @base >> iptables.x86_64 1.4.21-34.el7 @base >> iptables-services.x86_64 1.4.21-34.el7 @base > > Phil > > > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users I turned on DEBUG and restarted fail2ban. Following is the result in fail2ban.log. The difficulty I have is understanding the content of the scripting macros used in the various commands at the time the commands are issued. For instance, what does "<ipmset>" contain at the time of the ipset create command? The log would appear to indicate the scripting is such that values are used before they are defined. After the create, I see the value set as 'f2b-<name>' which is dependent on the value of <name> which is set on a subsequent set command as 'exim-reject'. If this order is the actual sequence it would explain the fact that the set f2b-exim-reject' does not exist after the restart of fail2ban. However, perhaps I just don't understand the inner workings. The log: > 2020-09-02 08:34:17,939 fail2ban.server [4077]: INFO Reload all jails > 2020-09-02 08:34:17,939 fail2ban.server [4077]: INFO Reload jail 'exim-reject' > 2020-09-02 08:34:17,940 fail2ban.filter [4077]: DEBUG Setting usedns = warn for FilterPyinotify(Jail('exim-reject')) > 2020-09-02 08:34:17,940 fail2ban.server [4077]: DEBUG failregex: '<HOST> is listed at zen.spamhaus.org' > 2020-09-02 08:34:17,940 fail2ban.server [4077]: DEBUG failregex: '\\[<HOST>\\]:25 dropped: too many syntax or protocol errors' > 2020-09-02 08:34:17,940 fail2ban.filter [4077]: INFO maxRetry: 1 > 2020-09-02 08:34:17,940 fail2ban.filter [4077]: INFO encoding: UTF-8 > 2020-09-02 08:34:17,940 fail2ban.filter [4077]: INFO findtime: 600 > 2020-09-02 08:34:17,940 fail2ban.actions [4077]: INFO banTime: 86400 > 2020-09-02 08:34:17,941 fail2ban.CommandAction [4077]: DEBUG Created <class 'fail2ban.server.action.CommandAction'> > 2020-09-02 08:34:17,941 fail2ban.CommandAction [4077]: DEBUG Set actionunban = 'ipset del <ipmset> <ip> -exist' > 2020-09-02 08:34:17,941 fail2ban.CommandAction [4077]: DEBUG Set actionflush = 'ipset flush <ipmset>' > 2020-09-02 08:34:17,941 fail2ban.CommandAction [4077]: DEBUG Set actionstop = '<iptables> -D INPUT -p tcp -m multiport --dports smtp,ssmtp -m set --match-set <ipmset> src -j <blocktype>\nipset flush <ipmset>\nipset destroy <ipmset>' > 2020-09-02 08:34:17,941 fail2ban.CommandAction [4077]: DEBUG Set actionstart = 'ipset create <ipmset> hash:ip timeout 600<familyopt>\n<iptables> -I INPUT -p tcp -m multiport --dports smtp,ssmtp -m set --match-set <ipmset> src -j <blocktype>' > 2020-09-02 08:34:17,941 fail2ban.CommandAction [4077]: DEBUG Set actionprolong = 'ipset add <ipmset> <ip> timeout <bantime> -exist' > 2020-09-02 08:34:17,941 fail2ban.CommandAction [4077]: DEBUG Set actionban = 'ipset add <ipmset> <ip> timeout <bantime> -exist' > 2020-09-02 08:34:17,941 fail2ban.CommandAction [4077]: DEBUG Set protocol = 'tcp' > 2020-09-02 08:34:17,941 fail2ban.CommandAction [4077]: DEBUG Set chain = '<known/chain>' > 2020-09-02 08:34:17,941 fail2ban.CommandAction [4077]: DEBUG Set lockingopt = '-w' > 2020-09-02 08:34:17,941 fail2ban.CommandAction [4077]: DEBUG Set ipmset = 'f2b-<name>' > 2020-09-02 08:34:17,941 fail2ban.CommandAction [4077]: DEBUG Set blocktype = 'REJECT --reject-with icmp-port-unreachable' > 2020-09-02 08:34:17,942 fail2ban.CommandAction [4077]: DEBUG Set default-timeout = '600' > 2020-09-02 08:34:17,942 fail2ban.CommandAction [4077]: DEBUG Set blocktype?family=inet6 = 'REJECT --reject-with icmp6-port-unreachable' > 2020-09-02 08:34:17,942 fail2ban.CommandAction [4077]: DEBUG Set port = 'smtp,ssmtp' > 2020-09-02 08:34:17,942 fail2ban.CommandAction [4077]: DEBUG Set actname = 'iptables-ipset-proto6' > 2020-09-02 08:34:17,942 fail2ban.CommandAction [4077]: DEBUG Set iptables = 'iptables <lockingopt>' > 2020-09-02 08:34:17,942 fail2ban.CommandAction [4077]: DEBUG Set familyopt?family=inet6 = '<sp>family inet6' > 2020-09-02 08:34:17,942 fail2ban.CommandAction [4077]: DEBUG Set familyopt = '' > 2020-09-02 08:34:17,942 fail2ban.CommandAction [4077]: DEBUG Set returntype = 'RETURN' > 2020-09-02 08:34:17,942 fail2ban.CommandAction [4077]: DEBUG Set ipmset?family=inet6 = 'f2b-<name>6' > 2020-09-02 08:34:17,942 fail2ban.CommandAction [4077]: DEBUG Set iptables?family=inet6 = 'ip6tables <lockingopt>' > 2020-09-02 08:34:17,942 fail2ban.CommandAction [4077]: DEBUG Set name = 'exim-reject' > 2020-09-02 08:34:17,942 fail2ban.server [4077]: INFO Jail 'exim-reject' reloaded > 2020-09-02 08:34:17,943 fail2ban.actions [4077]: NOTICE [exim-reject] Flush ticket(s) with iptables-ipset-proto6 > 2020-09-02 08:34:17,943 fail2ban.actions [4077]: DEBUG Unbanned 7, 7 ticket(s) in 'exim-reject' > 2020-09-02 08:34:17,943 fail2ban.actions [4077]: DEBUG exim-reject: action iptables-ipset-proto6 terminated > 2020-09-02 08:34:17,943 fail2ban.server [4077]: INFO Reload finished. |