Fail2Ban on X18

From Kolmisoft Wiki
Jump to navigationJump to search

Description

In recent MOR X18 versions, Fail2ban has been reworked. Two main differences:

  • MOR jails are configured in jail.local, system's global jail.conf is left untouched
  • Fail2ban default chain changed to MOR-FAIL2BAN-JUMP. Now, Fail2ban adds its own chains NOT directly to the INPUT chain, but to the MOR-FAIL2BAN-JUMP chain.

You have a new fail2ban configuration if:

  • File /etc/fail2ban/jail.local exits
  • Beginning of the file /etc/fail2ban/jail.local contains:
[DEFAULT]
chain = MOR-FAIL2BAN-JUMP



Manage Fail2ban jails/ips



List active jails

To list active jails, use the command fail2ban-client status 

[root@node01 ~]# fail2ban-client status
Status
|- Number of jail:      7
`- Jail list:   ast-cli-attack, ast-hgc-200, asterisk-iptables, asterisk-manager, mor_api, mor_ddos, ssh-iptables
[root@node01 ~]#

Important notes:

  • Jails in iptables will have f2b- prefix, for example ssh-iptables jail will correspond to f2b-ssh-iptables chain
  • Iptables chains for jails are created dynamically, after the first IP is blocked for a specific jail. If no IP is blocked, a chain will not exist in iptables. However, if IP was blocked, and later ban expired (or the IP was manually removed), the chain will remain



Get more information about the jail

To list more information for specific jails, use fail2ban-client status JAILNAME 

[root@node01 ~]# fail2ban-client status ssh-iptables
Status for the jail: ssh-iptables
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/log/secure
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   12.23.44.55

To check banned IPs manually in iptables, use iptables -n -L f2b-JAILNANE 

[root@node01 ~]# iptables -n -L f2b-ssh-iptables
Chain f2b-ssh-iptables (1 references)
target     prot opt source               destination         
REJECT     0    --  12.23.44.55          0.0.0.0/0            reject-with icmp-port-unreachable
RETURN     0    --  0.0.0.0/0            0.0.0.0/0           
[root@node01 ~]#



Manually unblock the IP from the jail

To unblock IP from the fail2ban chain, use the command fail2ban-client set JAILNAME unbanip IPADDRESS. 

fail2ban-client set ssh-iptables unbanip 12.23.44.55

JAILNAME is the name of the jail without f2b- prefix, so if IP is blocked in iptables in f2b-ssh-iptables, we will use jailname without f2b- prefix ssh-iptables

IPs blocked by fail2ban can also be unblocked from the GUI Blocked IPs menu.

Important If IP is blocked by fail2ban and you unblock IP using manual iptables commands, after fail2ban restart, such IP will be blocked again. To permanently unblock an IP, use the methods mentioned above.



Manually block the IP to the jail

To manually add IP to the jail (for testing or other reasons), use the banip command fail2ban-client set JAILNAME banip IPADDRESS. 

fail2ban-client set ssh-iptables banip 22.33.44.55



How to modify MOR jails

  • /etc/fail2ban/jail.conf contains global fail2ban configuration that is included in fail2ban package, we should not change anything here
  • /etc/fail2ban/jail.local contains MOR jails. If this is modified manually, it can be overwritten by the MOR update

This is the order in which fail2ban loads jail configurations from /etc/fail2ban/ directory

  • jail.conf
  • jail.d/*.conf (in alphabetical order)
  • jail.local
  • jail.d/*.local (in alphabetical order).

So to change the configuration of MOR jail, we should create a .local file in /etc/fail2ban/jail.d



Example 1

The asterisk-iptables jail bans an IP address if it attempts to register several times with an incorrect password. By default, IP is banned for all ports. Let's say we want to block only access to ports 5060,5061,5065

1. Create a file /etc/fail2ban/jail.d/asterisk-iptables.local

2. Add such contents in the file: 

[asterisk-iptables]
port = 5060,5061,5065
banaction = iptables[type=multiport]

3. Restart fail2ban 

systemctl restart fail2ban

We can observe that before the changes, all ports were checked against the f2b-asterisk-iptables chain 

Chain MOR-FAIL2BAN-JUMP (1 references)
target     prot opt source               destination         
f2b-asterisk-iptables  6    --  0.0.0.0/0            0.0.0.0/0

After changes, only ports 5060,5061,5065 are blocked 

Chain MOR-FAIL2BAN-JUMP (1 references)
target     prot opt source               destination         
f2b-asterisk-iptables  6    --  0.0.0.0/0            0.0.0.0/0            multiport dports 5060,5061,5065



Example 2

SSH jail (ssh-iptables) blocks the IP permanently after 3 incorrect password attempts. Let's say we want to block an IP after 5 attempts and only for 15 minutes.

1. Create a file /etc/fail2ban/jail.d/ssh-iptables.local

2. Add such contents in the file: 

[ssh-iptables]
maxretry = 5
bantime = 900

3. Restart fail2ban 

systemctl restart fail2ban



Send email notifications when IP is blocked

Fail2ban can be configured to send an email when an IP is blocked. Fail2ban will use the default MTA on the system, so mta (by default, postfix) has to be configured correctly for email to reach the destination.

This guide will show how to configure fail2ban to send the email through the mta. The configuration of the mta (sendmail, postfix) itself is not discussed here.



Add initial configuration options to send emails

Firstly, let's update the fail2ban config to the latest version from the MOR: 

mor_version=$(grep -P "^MOR_VERSION\s*=\s*" /etc/mor/system.conf | awk -F'=' '{print $2}' | xargs)
svn update /usr/src/mor/${mor_version}/helpers/fail2ban
/usr/src/mor/${mor_version}/helpers/fail2ban/fail2ban_update.sh


Create a local default config jail file (if it is not already present) /etc/fail2ban/jail.d/customdefault.local and add email configuration variables: 

[DEFAULT]
destemail = recipient1@email.com
sender = from@fromdomain.com
sendername = Fail2Ban
mta = sendmail

If you need to send to several destinations, use the comma 

destemail = recipient1@email.com, recipient2@email.com, recipient3@email.com

Replace destemail with the correct destination email(s) and sender with the correct From email address.



Send email when IP is blocked from any jail

In the file /etc/fail2ban/jail.d/customdefault.local (created in the previous step), append the line: 

action = %(action_m)s[actionstart="", actionstop=""]

Restart fail2ban 

systemctl restart fail2ban

Manual blocking can be used to test if an email arrives after the IP is blocked.



Send email when IP is blocked from a specific jail

Do not add (remove if already added) action line in the file /etc/fail2ban/jail.d/customdefault.local

Create a local jail file (if it is not already present) and add an action line to it. For example, to send email notifications only for IPs blocked in ssh jail:

1. Create (if it does not already exist) the file ssh-iptables: 

touch /etc/fail2ban/jail.d/ssh-iptables.local

2. Add the following contents: 

[ssh-iptables]
action = %(action_m)s[actionstart="", actionstop=""]

3. Restart fail2ban 

systemctl restart fail2ban

You can repeat this for any jails you want to send email notifications to.

All available jails can be listed with this command: 

fail2ban-client status



Available email notifcations

In the example we used: 

action = %(action_m)s[actionstart="", actionstop=""]

Here we used action_m action. Available actions are:

  • action_m - send email
  • action_mw - send email + whois information about the IP
  • action_mwl - send email + whois information about the IP + log lines where IP was blocked

So if you need additional information, you can replace action_m with action_mw or action_mwl.



See Also

Retrieved from "https://wiki.kolmisoft.com/index.php?title=Fail2Ban_on_X18&oldid=31433"