Join Log in
Score:0
FedKad avatar Ubuntu

How to configure fail2ban for both TCP and UDP port?

cn flag
FedKad

I want to ban some DNS requests coming to my named server. The server normally listens both TCP and UDP port 53 and logs the requests to /var/log/named/query.log file. So, I added the following entry to the end of /etc/fail2ban/jail.local:

[named-xyz]
enabled  = true
port     = domain
filter   = xyz
logpath  = /var/log/named/query.log
bantime  = 1d
action   = %(action_)s

However, this only bans the TCP port (by default). To ban the UDP port also, I need to add another entry:

[named-xyz-udp]
enabled  = true
port     = domain
protocol = udp
filter   = xyz
logpath  = /var/log/named/query.log
bantime  = 1d
action   = %(action_)s

Having to similar entries may not look overkill, however it has a drawback of logging double entries for a single "bad" request to the fail2ban.log file like this:

fail2ban.filter         [11619]: INFO    [named-xyz-udp] Found a.b.c.d
fail2ban.filter         [11619]: INFO    [named-xyz] Found a.b.c.d

How can I simply ban both UDP/53 and TCP/53 at the same time with a single rule in jail.local? A protocol = all line does not work in my case.

fail2ban version is v0.11.1.

415
1 + 0
Score:0
sebres avatar Ubuntu
co flag
sebres

A protocol = all line does not work in my case.

It depends from the banning action you use. What do you mean as "does not work"?

For actions (like iptables-allports accepting all) it may be enough to set that this way, for other action (which accepts multiple protocols, like nftables), it can be set with protocol = tcp,udp (or whatever separator they'd need instead of comma).
For the actions which doesn't accept multiple protocols (like iptables-multiport) one need to specify 2 actions, here is an example working for newest fail2ban versions - https://github.com/fail2ban/fail2ban/blob/10cd81552538fa950cefc32787b9f82b5ee1b998/config/jail.conf#L748-L749

For older fail2ban versions which does not accept interpolation of %(default/action_)s or multiple parameters [...][...] you need to set something like this:

action = %(action_)s[name=%(__name__)s-tcp, protocol="tcp"]
         %(action_)s[name=%(__name__)s-udp, protocol="udp"]

(or by fail2ban 0.9.x even replace %(action_)s with its whole definition from default section):

action = %(banaction)s[name=%(__name__)s-tcp, actionname=%(__name__)s-tcp, protocol="tcp", port="%(port)s", chain="%(chain)s"]
         %(banaction)s[name=%(__name__)s-udp, actionname=%(__name__)s-udp, protocol="udp", port="%(port)s", chain="%(chain)s"]
0 + 2
FedKad avatar
cn flag
FedKad
I am sorry, I could not follow your answer, since I am not expert on fail2ban. What would be your suggestion for modifying the first entry (in my Question)? Putting a two-line `action =` as you suggested gives the error: `option 'action' in section 'named-xyz' already exists`
0
Reply
sebres avatar
co flag
sebres
you have to put 2 actions with a single parameter `action`, see my example - so 2 lines, but second line without `action =`, just with few spaces; and ensure you don't have already specified an `action` in the section for jail `named-xyz`.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.