Join Log in
Score:0
WSpivak avatar Server

fail2ban ipset proper setup of jail.conf

lr flag
WSpivak

My understanding is that running Fail2ban using ipset is faster. To that end:

I downloaded and installed per instructions (modified for Fedora 37) ritsu/ipset-fail2ban from Git.

My banaction is still set as: banaction_allports = firewallcmd-rich-rules[actiontype=]

When I try to add or replace the above with: banaction = firewallcmd-ipset

I get errors like:

2023-04-09 15:51:46,130 fail2ban.actions        [986]: NOTICE  [postfix-auth] Restore Ban 117.69.159.181
2023-04-09 15:51:46,526 fail2ban.utils          [986]: ERROR   7f29c6bd0ea0 -- exec: ipset -exist create f2b-postfix-unv hash:ip timeout 0
firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m multiport --dports smtp,imap2,imap3,imaps,pop3,pop3s,465,587, submission -m set --match-set f2b-postfix-unv src -j REJECT --reject-with icmp-port-unreachable
2023-04-09 15:51:46,527 fail2ban.utils          [986]: ERROR   7f29c6bd0ea0 -- stderr: "Error: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.8 (legacy): invalid port/service `' specified"
2023-04-09 15:51:46,527 fail2ban.utils          [986]: ERROR   7f29c6bd0ea0 -- stderr: 'Error occurred at line: 2'
2023-04-09 15:51:46,527 fail2ban.utils          [986]: ERROR   7f29c6bd0ea0 -- stderr: "Try `iptables-restore -h' or 'iptables-restore --help' for more information."
2023-04-09 15:51:46,527 fail2ban.utils          [986]: ERROR   7f29c6bd0ea0 -- stderr: ''
2023-04-09 15:51:46,527 fail2ban.utils          [986]: ERROR   7f29c6bd0ea0 -- returned 13

If I run firewall-cmd --list-all-zones I get a listing of currently banned IP addresses.

However they are not in any zone file under /etc/firewalld/zones

$ iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere             match-set blacklist-fail2ban src

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DROP       tcp  --  anywhere             185.191.32.198       tcp dpt:http

Where did I go wrong, if I went wrong?

Thank you

[Addendum 1]

Per advice of Ginnungagap on framing questions, my answer to his query about trailing comma is:

My jail.local for the error example is:

[postfix-unv] 
enabled = true 
filter = postfix-unv 
port = smtp,imap2,imap3,imaps,pop3,pop3s,465,587, submission 
logpath = /var/log/maillog 
maxretry = 1 
bantime = 604800

I don't see an extra comma. I also don't see an extra comma in the actual filter. I'll look into nftables.

[Addendum no 2]

Followed your suggestion by changing banaction. It seems to work when I issued the cmd nft list ruleset.

I restarted firewalld, and it has no additional rules (i.e., rich sets)

I restarted fail2ban and it loaded all the banned rules in about a minute.

Do I still need the files from Git (as mentioned above)?

Thank you Ginnungagap, your help is greatly appreciated.

240
1 + 0
Score:0
Ginnungagap avatar Server
gu flag
Ginnungagap

The direct rule fail2ban attempts to inject has a trailing comma in the list of ports leading to the logged error by iptableq-restore.

In any case, I'd highly suggest moving to nftables which will let fail2ban manage its own table and native set support. iptables still exists for compatibility purposes but is far less flexible than nftables.

Firewalld only flushes its own table when using the nftables backend so firewall-cmd won't clear fail2ban's table (or any table other than firewalld for that matter).

Changing backend to nftables is rather simple, just add banaction = nftables-multiport to your jail or change the global banaction and banaction_allports to nftables-multiport and nftables-allports respectively.

+ 6
WSpivak avatar
lr flag
WSpivak
BTW, I asked ChaptGPT and it said: To configure Fail2Ban to write only to an IPSet, you can follow the below steps: Create an IPSet using the following command: sudo ipset create fail2ban-ipset hash:ip
0
Reply
WSpivak avatar
lr flag
WSpivak
Edit the Fail2Ban configuration file (/etc/fail2ban/jail.local) and add the following lines at the end of the file: [DEFAULT] banaction = iptables-ipset-proto4 banaction_allports = iptables-ipset-proto4 [iptables-ipset-proto4] enabled = true filter = %(__name__)s action = ipset[name=fail2ban-ipset, protocol=tcp] The banaction and banaction_allports lines define the action that Fail2Ban should take when banning an IP address. The iptables-ipset-proto4 action uses iptables to add the IP address to the fail2ban-ipset IPSet.
0
Reply
WSpivak avatar
lr flag
WSpivak
The [iptables-ipset-proto4] section defines the ipset action, which adds the IP address to the fail2ban-ipset IPSet. Restart Fail2Ban for the changes to take effect: sudo service fail2ban restart After completing these steps, Fail2Ban should now only write to the fail2ban-ipset IPSet, and not to any other location.
0
Reply
Ginnungagap avatar
gu flag
Ginnungagap
If you need to add information, edit it into your question where it can be properly formatted instead of a comment where it is unreadable. Also, ChatGPT answers are [explicitly banned](https://meta.stackoverflow.com/questions/421831/) from SE because they are as likely to be accurate as a steaming pile of . Scratch that, the latter is statistically more likely.
0
Reply
WSpivak avatar
lr flag
WSpivak
I agree w/ChatGPT, hence the comment. Will take under advisement formating.
0
Reply
Ginnungagap avatar
gu flag
Ginnungagap
Look at your list of ports, `submission` has a space before which detaches it from the list of ports passed to `iptables`.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.