Difference between revisions of "Fail2Ban on X18"

From Kolmisoft Wiki
Jump to navigationJump to search
Line 22: Line 22:


Important notes:
Important notes:
* Jails in iptables will have f2b- prefix, for example '''ssh-iptables'' jail will correspond to '''f2b-ssh-iptables''' chain
* Jails in iptables will have f2b- prefix, for example '''ssh-iptables''' jail will correspond to '''f2b-ssh-iptables''' chain
* Iptables chains for jails are created dynamically, after the first IP is blocked for a specific jail. If no IP is blocked, a chain will not exist in iptables. However, if IP was blocked, and later ban expired (or the IP was manually removed), the chain will remain  
* Iptables chains for jails are created dynamically, after the first IP is blocked for a specific jail. If no IP is blocked, a chain will not exist in iptables. However, if IP was blocked, and later ban expired (or the IP was manually removed), the chain will remain  


Revision as of 08:29, 5 September 2025

Description

In recent MOR X18 versions, Fail2ban has been reworked. Two main differences:

  • MOR jails are configured in jail.local, system's global jail.conf is left untouched
  • Fail2ban default chain changed to MOR-FAIL2BAN-JUMP. Now, Fail2ban adds its own chains NOT directly to the INPUT chain, but to the MOR-FAIL2BAN-JUMP chain.

You have a new fail2ban configuration if:

  • File /etc/fail2ban/jail.local exits
  • Beginning of the file /etc/fail2ban/jail.local contains:
[DEFAULT]
chain = MOR-FAIL2BAN-JUMP



Manage Fail2ban jails/ips



List active jails

To list active jails, use the command fail2ban-client status 

[root@node01 ~]# fail2ban-client status
Status
|- Number of jail:      7
`- Jail list:   ast-cli-attack, ast-hgc-200, asterisk-iptables, asterisk-manager, mor_api, mor_ddos, ssh-iptables
[root@node01 ~]#

Important notes:

  • Jails in iptables will have f2b- prefix, for example ssh-iptables jail will correspond to f2b-ssh-iptables chain
  • Iptables chains for jails are created dynamically, after the first IP is blocked for a specific jail. If no IP is blocked, a chain will not exist in iptables. However, if IP was blocked, and later ban expired (or the IP was manually removed), the chain will remain



Get more information about the jail

To list more information for specific jails, use fail2ban-client status JAILNAME 

[root@node01 ~]# fail2ban-client status ssh-iptables
Status for the jail: ssh-iptables
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/log/secure
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   12.23.44.55

To check banned IPs manually in iptables, use iptables -n -L f2b-JAILNANE 

[root@node01 ~]# iptables -n -L f2b-ssh-iptables
Chain f2b-ssh-iptables (1 references)
target     prot opt source               destination         
REJECT     0    --  12.23.44.55          0.0.0.0/0            reject-with icmp-port-unreachable
RETURN     0    --  0.0.0.0/0            0.0.0.0/0           
[root@node01 ~]#



Manually unblock the IP from the jail

To unblock IP from the fail2ban chain, use the command fail2ban-client set JAILNAME unbanip IPADDRESS. 

fail2ban-client set ssh-iptables unbanip 12.23.44.55

JAILNAME is the name of the jail without f2b- prefix, so if IP is blocked in iptables in f2b-ssh-iptables, we will use jailname without f2b- prefix ssh-iptables

IPs blocked by fail2ban can also be unblocked from the GUI Blocked IPs menu.

Important If IP is blocked by fail2ban and you unblock IP using manual iptables commands, after fail2ban restart, such IP will be blocked again. To permanently unblock an IP, use the methods mentioned above.



Manually block the IP to the jail

To manually add IP to the jail (for testing or other reasons), use the banip command fail2ban-client set JAILNAME banip IPADDRESS. 

fail2ban-client set ssh-iptables banip 22.33.44.55



How to modify MOR jails

  • /etc/fail2ban/jail.conf contains global fail2ban configuration that is included in fail2ban package, we should not change anything here
  • /etc/fail2ban/jail.local contains MOR jails. If this is modified manually, it can be overwritten by the MOR update

This is the order in which fail2ban loads jail configurations from /etc/fail2ban/ directory

  • jail.conf
  • jail.d/*.conf (in alphabetical order)
  • jail.local
  • jail.d/*.local (in alphabetical order).

So to change the configuration of MOR jail, we should create a .local file in /etc/fail2ban/jail.d



Example 1

The asterisk-iptables jail bans an IP address if it attempts to register several times with an incorrect password. By default, IP is banned for all ports. Let's say we want to block only access to ports 5060,5061,5065

1. Create a file /etc/fail2ban/jail.d/asterisk-iptables.local 2. Add such contents in the file: 

[asterisk-iptables]
port = 5060,5061,5065
banaction = iptables[type=multiport]

3. Restart fail2ban 

systemctl restart fail2ban

We can observe that before the changes, all ports were checked against the f2b-asterisk-iptables chain 

Chain MOR-FAIL2BAN-JUMP (1 references)
target     prot opt source               destination         
f2b-asterisk-iptables  6    --  0.0.0.0/0            0.0.0.0/0

After changes, only ports 5060,5061,5065 are blocked 

Chain MOR-FAIL2BAN-JUMP (1 references)
target     prot opt source               destination         
f2b-asterisk-iptables  6    --  0.0.0.0/0            0.0.0.0/0            multiport dports 5060,5061,5065



Example 2

SSH jail (ssh-iptables) blocks the IP permanently after 3 incorrect password attempts. Let's say we want to block an IP after 5 attempts and only for 15 minutes.

1. Create a file /etc/fail2ban/jail.d/ssh-iptables.local 2. Add such contents in the file: 

[ssh-iptables]
maxretry = 5
bantime = 900

3. Restart fail2ban 

systemctl restart fail2ban


See Also

Blocked IPs MOR iptables Chains

Retrieved from "https://wiki.kolmisoft.com/index.php?title=Fail2Ban_on_X18&oldid=30472"