On 9/2/2020 5:43 AM, Phillip Carroll wrote:
On 9/1/2020 6:04 PM, Richard Shaw wrote:
On Tue, Sep 1, 2020 at 7:45 PM Phillip Carroll
<[email protected]
<mailto:[email protected]>> wrote:
I have been using csf/lfd as my firewall for several years on several
versions of CentOS, currently CentOS7. I am using several
ipset-managed
blocklists supported directly by csf. Some of these are fairly huge
(such as whole country blocks), and it changes them in fractions of a
second. Very happy with everything it does.
However, csf syntax for custom regex applied to logs is relatively
clumsy and error-prone so I have installed fail2ban in hopes of using
that for custom log-based bans.
For my initial testing I have set up one jail and a corresponding
filters. (I found that all very simple.)
My intent:
On filter matches, immediately ban the host IP for one full day. Use
ipset to implement the bans.
The test case basically watches my exim reject.log (using inotify)
and
unerringly finds the naughty hosts I want to ban.
My setup:
jail.local has:
> [exim-reject]
> mode = normal
> port = smtp,ssmtp
> logpath = /var/log/exim/reject.log
> filter = exim-reject
> maxmatches = 1
> maxretry = 1
> backend = auto
> bantime = 1d
> banaction = iptables-ipset-proto6
> enabled = true
And exim-reject.conf contains:
> [INCLUDES]
> before = exim-common.conf
> [Definition]
> failregex = <HOST> is listed at zen.spamhaus.org
<http://zen.spamhaus.org>
> \[<HOST>\]:25 dropped: too many syntax or protocol
errors
The contents of fail2ban.log indicates everything is working. It
says it
found the lines I expected it to find, and has issued bans (and
unbans a
day later).
However, when I list the ipset sets on the console, the only sets
listed
are those managed by csf. Clearly I have implemented something
incorrectly. I am hoping somebody on the list can set me straight.
Is it
possibly a permissions problem?
That quite a bit more complex installation than I use so can't help
you there, but fail2ban version and source (EPEL, self install, etc)
would be helpful.
Thanks,
Richard
@Richard,
This server has only prebuilt packages from the standard repos, managed
using yum. It is a pretty typical headless server.
I don't use selinux because of conflicts with the ISP provided kernel.
(Linode)
From yum list installed:
fail2ban.noarch 0.11.1-9.el7.2 @epel
fail2ban-server.noarch 0.11.1-9.el7.2 @epel
ipset.x86_64 7.1-1.el7 @base
ipset-libs.x86_64 7.1-1.el7 @base
iptables.x86_64 1.4.21-34.el7 @base
iptables-services.x86_64 1.4.21-34.el7 @base
Phil
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
I turned on DEBUG and restarted fail2ban. Following is the result in
fail2ban.log.
The difficulty I have is understanding the content of the scripting
macros used in the various commands at the time the commands are issued.
For instance, what does "<ipmset>" contain at the time of the ipset
create command? The log would appear to indicate the scripting is such
that values are used before they are defined. After the create, I see
the value set as 'f2b-<name>' which is dependent on the value of <name>
which is set on a subsequent set command as 'exim-reject'.
If this order is the actual sequence it would explain the fact that the
set f2b-exim-reject' does not exist after the restart of fail2ban.
However, perhaps I just don't understand the inner workings.
The log:
2020-09-02 08:34:17,939 fail2ban.server [4077]: INFO Reload all jails
2020-09-02 08:34:17,939 fail2ban.server [4077]: INFO Reload jail
'exim-reject'
2020-09-02 08:34:17,940 fail2ban.filter [4077]: DEBUG Setting usedns
= warn for FilterPyinotify(Jail('exim-reject'))
2020-09-02 08:34:17,940 fail2ban.server [4077]: DEBUG failregex:
'<HOST> is listed at zen.spamhaus.org'
2020-09-02 08:34:17,940 fail2ban.server [4077]: DEBUG failregex:
'\\[<HOST>\\]:25 dropped: too many syntax or protocol errors'
2020-09-02 08:34:17,940 fail2ban.filter [4077]: INFO maxRetry: 1
2020-09-02 08:34:17,940 fail2ban.filter [4077]: INFO encoding:
UTF-8
2020-09-02 08:34:17,940 fail2ban.filter [4077]: INFO findtime: 600
2020-09-02 08:34:17,940 fail2ban.actions [4077]: INFO banTime: 86400
2020-09-02 08:34:17,941 fail2ban.CommandAction [4077]: DEBUG Created <class
'fail2ban.server.action.CommandAction'>
2020-09-02 08:34:17,941 fail2ban.CommandAction [4077]: DEBUG Set actionunban = 'ipset
del <ipmset> <ip> -exist'
2020-09-02 08:34:17,941 fail2ban.CommandAction [4077]: DEBUG Set actionflush =
'ipset flush <ipmset>'
2020-09-02 08:34:17,941 fail2ban.CommandAction [4077]: DEBUG Set actionstop = '<iptables> -D INPUT
-p tcp -m multiport --dports smtp,ssmtp -m set --match-set <ipmset> src -j <blocktype>\nipset
flush <ipmset>\nipset destroy <ipmset>'
2020-09-02 08:34:17,941 fail2ban.CommandAction [4077]: DEBUG Set actionstart = 'ipset create
<ipmset> hash:ip timeout 600<familyopt>\n<iptables> -I INPUT -p tcp -m multiport --dports
smtp,ssmtp -m set --match-set <ipmset> src -j <blocktype>'
2020-09-02 08:34:17,941 fail2ban.CommandAction [4077]: DEBUG Set actionprolong = 'ipset add
<ipmset> <ip> timeout <bantime> -exist'
2020-09-02 08:34:17,941 fail2ban.CommandAction [4077]: DEBUG Set actionban = 'ipset add
<ipmset> <ip> timeout <bantime> -exist'
2020-09-02 08:34:17,941 fail2ban.CommandAction [4077]: DEBUG Set protocol
= 'tcp'
2020-09-02 08:34:17,941 fail2ban.CommandAction [4077]: DEBUG Set chain =
'<known/chain>'
2020-09-02 08:34:17,941 fail2ban.CommandAction [4077]: DEBUG Set
lockingopt = '-w'
2020-09-02 08:34:17,941 fail2ban.CommandAction [4077]: DEBUG Set ipmset =
'f2b-<name>'
2020-09-02 08:34:17,941 fail2ban.CommandAction [4077]: DEBUG Set blocktype
= 'REJECT --reject-with icmp-port-unreachable'
2020-09-02 08:34:17,942 fail2ban.CommandAction [4077]: DEBUG Set
default-timeout = '600'
2020-09-02 08:34:17,942 fail2ban.CommandAction [4077]: DEBUG Set
blocktype?family=inet6 = 'REJECT --reject-with icmp6-port-unreachable'
2020-09-02 08:34:17,942 fail2ban.CommandAction [4077]: DEBUG Set port =
'smtp,ssmtp'
2020-09-02 08:34:17,942 fail2ban.CommandAction [4077]: DEBUG Set actname =
'iptables-ipset-proto6'
2020-09-02 08:34:17,942 fail2ban.CommandAction [4077]: DEBUG Set iptables =
'iptables <lockingopt>'
2020-09-02 08:34:17,942 fail2ban.CommandAction [4077]: DEBUG Set
familyopt?family=inet6 = '<sp>family inet6'
2020-09-02 08:34:17,942 fail2ban.CommandAction [4077]: DEBUG Set familyopt
= ''
2020-09-02 08:34:17,942 fail2ban.CommandAction [4077]: DEBUG Set
returntype = 'RETURN'
2020-09-02 08:34:17,942 fail2ban.CommandAction [4077]: DEBUG Set
ipmset?family=inet6 = 'f2b-<name>6'
2020-09-02 08:34:17,942 fail2ban.CommandAction [4077]: DEBUG Set
iptables?family=inet6 = 'ip6tables <lockingopt>'
2020-09-02 08:34:17,942 fail2ban.CommandAction [4077]: DEBUG Set name =
'exim-reject'
2020-09-02 08:34:17,942 fail2ban.server [4077]: INFO Jail
'exim-reject' reloaded
2020-09-02 08:34:17,943 fail2ban.actions [4077]: NOTICE [exim-reject]
Flush ticket(s) with iptables-ipset-proto6
2020-09-02 08:34:17,943 fail2ban.actions [4077]: DEBUG Unbanned 7, 7
ticket(s) in 'exim-reject'
2020-09-02 08:34:17,943 fail2ban.actions [4077]: DEBUG exim-reject:
action iptables-ipset-proto6 terminated
2020-09-02 08:34:17,943 fail2ban.server [4077]: INFO Reload finished.
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
