#4893 fail2ban config doesn't allow entry of dynamic hosts
Version 1.831
Operating System CentOS Linux 6.4
Fail2Ban Intrusion Detection System
To get to this -- Filter Action Jails, Edit Jail Defaults, Ip addresses to never ban
try to enter a fully qualified domain name for a dynamic IP address service, like mydynamicip.ddns.net
generates error "Failed to save default jail options : Invalid IP address to ignore"
Dynamic hosts should be alllowed -- I believe they are allowed in the jail.conf which this presumably updates.
The parameter in the jail.conf file that lists the IP addresses to ignore is "ignoreip"
The documentation at http://www.fail2ban.org/wiki/index.php/Whitelist says ""ignoreip" can be an IP address, a CIDR mask or a DNS host."
Please change this module to allow the entry of host names in the ignoreip parameter.
A similar question I have is, since fail2ban and iptables apparently allow for dynamic host names to represent ip addresses, I wonder how often fail2ban and/or iptables check for a change in the IP address. Also, if there is a configuration parameter to specify how often fail2ban and/or iptables should resolve the dynamic dns address.
Thanks for pointing this out - this will be fixed in the next webmin release.
Personally I wouldn't recommend using hostnames in fail2ban or iptables configs, as if they cannot be resolved when the service starts then it may completely fail. For iptables, they are only resolved when the firewall is started or when the config is re-applied.
Thank you for the prompt reply.
Are you familiar with the program "Travelling Man" which is part of "PBX in
a Flash" or "Incredible PBX"? It uses dynamic ip addresses this way.
Since you point out that the IP doesn't get resolved except on start or
reload, I wonder if "Travelling Man" reloads iptables like every 3 minutes
or something like that? I have no knowledge of how Fail2Ban would know
when to resolve it.
I have to do this, unfortunately, because my CenturyLink DSL IP address
changes all the time. :-(
Thanks again for the prompt resolution of this.
Robert Coates
On Fri, Feb 10, 2017 at 3:40 PM, Jamie Cameron jcameron@users.sf.net
wrote:
Related
Bugs:
#4893It may be that fail2ban re-resolves hostnames more often. But I know for sure that iptables does not (unless some other script is periodically re-applying the config).
I assume this has been fixed by now. How do I get the updated module for
Webmin that controls Fail2ban? How do I update my copy of Webmin to
include this?
Sorry these are "newb" questions. I have a lot of programming experience,
just not with Linux.
On Fri, Feb 10, 2017 at 5:39 PM, Jamie Cameron jcameron@users.sf.net
wrote:
the change I'm looking for is that Webmin will allow a host name such as
host.doman.com instead of an ip address in the "ignoreip" parameter in the
fail2ban module.
Fail2ban does in fact allow host names in addition to ip addresses -- so
the Fail2Ban interface in Webmin should allow entry of a dynamic hostname
On Sat, Apr 22, 2017 at 11:10 AM, Robert rcoates5@users.sf.net wrote:
The code for this has been written, and the fix will be in the upcoming Webmin 1.840 release.
On 22/Apr/2017 12:10 Robert rcoates5@users.sf.net wrote ..
the change I'm looking for is that Webmin will allow a host name such as host.doman.com instead of an ip address in the "ignoreip" parameter in the fail2ban module.
Fail2ban does in fact allow host names in addition to ip addresses -- so the Fail2Ban interface in Webmin should allow entry of a dynamic hostname
On Sat, Apr 22, 2017 at 11:10 AM, Robert rcoates5@users.sf.net wrote:
I assume this has been fixed by now. How do I get the updated module for Webmin that controls Fail2ban? How do I update my copy of Webmin to include this?
Sorry these are "newb" questions. I have a lot of programming experience, just not with Linux.
On Fri, Feb 10, 2017 at 5:39 PM, Jamie Cameron jcameron@users.sf.net wrote:
It may be that fail2ban re-resolves hostnames more often. But I know for sure that iptables does not (unless some other script is periodically re-applying the config). [bugs:#4893] https://sourceforge.net/p/webadmin/bugs/4893/ https://sourceforge.net/p/webadmin/bugs/4893/ https://sourceforge.net/p/webadmin/bugs/4893/ fail2ban config doesn't allow entry of dynamic hosts*
Status: closed-fixed Group: 1.830 Labels: fail2ban Created: Fri Feb 10, 2017 05:19 AM UTC by Robert Last Updated: Fri Feb 10, 2017 11:40 PM UTC Owner: nobody
Version 1.831 Operating System CentOS Linux 6.4 Fail2Ban Intrusion Detection System
To get to this -- Filter Action Jails, Edit Jail Defaults, Ip addresses to never ban try to enter a fully qualified domain name for a dynamic IP address service, like mydynamicip.ddns.net generates error "Failed to save default jail options : Invalid IP address to ignore" Dynamic hosts should be alllowed -- I believe they are allowed in the jail.conf which this presumably updates. The parameter in the jail.conf file that lists the IP addresses to ignore is "ignoreip" The documentation at http://www.fail2ban.org/wiki/index.php/Whitelist says ""ignoreip" can be an IP address, a CIDR mask or a DNS host."
Please change this module to allow the entry of host names in the ignoreip parameter.
A similar question I have is, since fail2ban and iptables apparently allow for dynamic host names to represent ip addresses, I wonder how often fail2ban and/or iptables check for a change in the IP address. Also, if there is a configuration parameter to specify how often fail2ban and/or iptables should resolve the dynamic dns address.
Sent from sourceforge.net because you indicated interest in https://sourceforge.net/p/webadmin/bugs/4893/
To unsubscribe from further messages, please visit https://sourceforge.net/auth/subscriptions/ [bugs:#4893] https://sourceforge.net/p/webadmin/bugs/4893/ fail2ban config doesn't allow entry of dynamic hosts*
Status: closed-fixed Group: 1.830 Labels: fail2ban Created: Fri Feb 10, 2017 05:19 AM UTC by Robert Last Updated: Sat Feb 11, 2017 01:39 AM UTC Owner: nobody
Version 1.831 Operating System CentOS Linux 6.4 Fail2Ban Intrusion Detection System
To get to this -- Filter Action Jails, Edit Jail Defaults, Ip addresses to never ban try to enter a fully qualified domain name for a dynamic IP address service, like mydynamicip.ddns.net generates error "Failed to save default jail options : Invalid IP address to ignore" Dynamic hosts should be alllowed -- I believe they are allowed in the jail.conf which this presumably updates. The parameter in the jail.conf file that lists the IP addresses to ignore is "ignoreip" The documentation at http://www.fail2ban.org/wiki/index.php/Whitelist says ""ignoreip" can be an IP address, a CIDR mask or a DNS host."
Please change this module to allow the entry of host names in the ignoreip parameter.
A similar question I have is, since fail2ban and iptables apparently allow for dynamic host names to represent ip addresses, I wonder how often fail2ban and/or iptables check for a change in the IP address. Also, if there is a configuration parameter to specify how often fail2ban and/or iptables should resolve the dynamic dns address.
Sent from sourceforge.net because you indicated interest in https://sourceforge.net/p/webadmin/bugs/4893/
To unsubscribe from further messages, please visit https://sourceforge.net/auth/subscriptions/
[bugs:#4893] fail2ban config doesn't allow entry of dynamic hosts
Status: closed-fixed Group: 1.830 Labels: fail2ban Created: Fri Feb 10, 2017 05:19 AM UTC by Robert Last Updated: Sat Feb 11, 2017 01:39 AM UTC Owner: nobody
Version 1.831 Operating System CentOS Linux 6.4 Fail2Ban Intrusion Detection System
To get to this -- Filter Action Jails, Edit Jail Defaults, Ip addresses to never ban try to enter a fully qualified domain name for a dynamic IP address service, like mydynamicip.ddns.net generates error "Failed to save default jail options : Invalid IP address to ignore" Dynamic hosts should be alllowed -- I believe they are allowed in the jail.conf which this presumably updates. The parameter in the jail.conf file that lists the IP addresses to ignore is "ignoreip" The documentation at http://www.fail2ban.org/wiki/index.php/Whitelist says ""ignoreip" can be an IP address, a CIDR mask or a DNS host."
Please change this module to allow the entry of host names in the ignoreip parameter.
A similar question I have is, since fail2ban and iptables apparently allow for dynamic host names to represent ip addresses, I wonder how often fail2ban and/or iptables check for a change in the IP address. Also, if there is a configuration parameter to specify how often fail2ban and/or iptables should resolve the dynamic dns address.
Sent from sourceforge.net because you indicated interest in https://sourceforge.net/p/webadmin/bugs/4893/
To unsubscribe from further messages, please visit https://sourceforge.net/auth/subscriptions/
I also ran into this problem today. From what I read above this bug have been resolved as of Webmin version 1.840. The only difference in my setup and this bug report is I am on Ubuntu 16.04.
Error I recieved on the "Default Jail Options" screen.
"Failed to save default jail options : Invalid IP address to ignore"
Note: I was able to add the domain "<myhost>.ddns.net" into the "jail.conf" file directly. And it all worked. Fail2Ban Ignored failed attempts from that host. But after this action i can now never use the "Default Jail Options" screen because it gives the error.
Server Details:
Webmin version 1.840.
Ubuntu 16.04 linux server.
Thanks in advance
The Fail2Ban program does accept dynamic hosts in the config. The issue
here is that the Webmin app for Fail2Ban does not allow putting dynamic
hosts in the Fail2Ban config files.
It does look like somebody fixed it and a newer version is available. I
don't know how to access the fix and apply it to my system. Can you tell
me how I can obtain the fix and apply it to my system? Thanks.
On Sat, Jun 3, 2017 at 6:45 AM, Niel Buys r2d2-master@users.sf.net wrote:
The latest webmin release available from http://www.webmin.com/devel.html includes this fix.
Thank you, Jamie Cameron.
I'm running Webmin 1.840 Is there a way to tell if that fix is included in
that release?
If the fix is not included in that release, how do I apply it to my server?
Robert Coates
On Sat, Jun 3, 2017 at 2:30 PM, Jamie Cameron jcameron@users.sf.net wrote:
You should try downloading the 1.844 version from the URL I linked to.
Thanks Jamie I will wait for next official release to test if its included. I have put the dynamic host directly into the config files, so my setup is correct for now.
For record puposes, my webmin updated to version 1.850 and this is still broken. Strange that it is still not available after all these versions, and there are replys that this was already finalised from version 1.830. There must be something going wrong with the release process.
I am still using the workaround where I entered the hostname directly into the config file.
Maybe we're fixing it in the wrong place. Can you attach a screenshot showing exactly where you're entering a dynamic hostname?
Find attached as requested the screenshot with highlight of the affected area. Thanks for the reply.
Ok, I see - this will be fixed in the next Webmin release.
Thanks, I confirm it works in version 1.860