Re: [Fail2ban-users] How to implement ban using ipset

Wed, 02 Sep 2020 05:48:03 -0700 

On 9/1/2020 6:04 PM, Richard Shaw wrote:
On Tue, Sep 1, 2020 at 7:45 PM Phillip Carroll <[email protected] <mailto:[email protected]>> wrote: 

    I have been using csf/lfd as my firewall for several years on several
    versions of CentOS, currently CentOS7. I am using several ipset-managed
    blocklists supported directly by csf. Some of these are fairly huge
    (such as whole country blocks), and it changes them in fractions of a
    second. Very happy with everything it does.

    However, csf syntax for custom regex applied to logs is relatively
    clumsy and error-prone so I have installed fail2ban in hopes of using
    that for custom log-based bans.

    For my initial testing I have set up one jail and a corresponding
    filters. (I found that all very simple.)

    My intent:
    On filter matches, immediately ban the host IP for one full day. Use
    ipset to implement the bans.

    The test case basically watches my exim reject.log (using inotify) and
    unerringly finds the naughty hosts I want to ban.

    My setup:
    jail.local has:

     > [exim-reject]
     > mode      = normal
     > port      = smtp,ssmtp
     > logpath   = /var/log/exim/reject.log
     > filter    = exim-reject
     > maxmatches = 1
     > maxretry   = 1
     > backend   = auto
     > bantime   = 1d
     > banaction = iptables-ipset-proto6
     > enabled   = true

    And exim-reject.conf contains:

     > [INCLUDES]
     > before = exim-common.conf
     > [Definition]
     > failregex = <HOST> is listed at zen.spamhaus.org
    <http://zen.spamhaus.org>
     >             \[<HOST>\]:25 dropped: too many syntax or protocol errors

    The contents of fail2ban.log indicates everything is working. It
    says it
    found the lines I expected it to find, and has issued bans (and
    unbans a
    day later).

    However, when I list the ipset sets on the console, the only sets
    listed
    are those managed by csf. Clearly I have implemented something
    incorrectly. I am hoping somebody on the list can set me straight.
    Is it
    possibly a permissions problem?



That quite a bit more complex installation than I use so can't help you 
there, but fail2ban version and source (EPEL, self install, etc) would 
be helpful.


Thanks,
Richard


@Richard,


This server has only prebuilt packages from the standard repos, managed 
using yum. It is a pretty typical headless server.



I don't use selinux because of conflicts with the ISP provided kernel. 
(Linode)


From yum list installed:

fail2ban.noarch                       0.11.1-9.el7.2             @epel          
fail2ban-server.noarch                0.11.1-9.el7.2             @epel          
ipset.x86_64                          7.1-1.el7                  @base          
ipset-libs.x86_64                     7.1-1.el7                  @base          
iptables.x86_64                       1.4.21-34.el7              @base          
iptables-services.x86_64              1.4.21-34.el7              @base          


Phil


_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users






















					Reply via email to