Difference between revisions of "Fail2Ban on X18"

From Kolmisoft Wiki
Jump to navigationJump to search
(Created page with "=Description= In recent MOR X18 versions, Fail2ban has been reworked. Two main differences: * MOR jails are configured in jail.local, system's global jail.conf is left untouched * Fail2ban default chain changed to '''MOR-FAIL2BAN-JUMP'''. Now, Fail2ban adds chains to MOR-FAIL2BAN-JUMP, and not directly to the INPUT chain. <br><br> =How to modify MOR jails= * /etc/fail2ban/jail.conf contains global fail2ban configuration that is included in fail2ban package, we should...")
 
Line 101: Line 101:
To unblock IP from the fail2ban chain, use the command '''fail2ban-client set JAILNAME unbanip IPADDRESS'''.
To unblock IP from the fail2ban chain, use the command '''fail2ban-client set JAILNAME unbanip IPADDRESS'''.
  fail2ban-client set ssh-iptables unbanip 12.23.44.55
  fail2ban-client set ssh-iptables unbanip 12.23.44.55
JAILNAME is the name of the jail without f2b- prefix, so if IP is blocked in iptables in f2b-ssh-iptables, we will use jailname without f2b- prefix '''ssh-iptables'''


IPs blocked by fail2ban can also be unblocked from the GUI [[Blocked IPs]] menu.
IPs blocked by fail2ban can also be unblocked from the GUI [[Blocked IPs]] menu.


JAILNAME is the name of the jail without f2b- prefix, so if IP is blocked in iptables in f2b-ssh-iptables, we will use jailname without f2b- prefix '''ssh-iptables'''
'''Important''' If IP is blocked by fail2ban and you unblock IP using manual iptables commands, after fail2ban restart, such IP will be blocked again. To permanently unblock an IP, use the methods mentioned above.


<br><br>
<br><br>
Line 110: Line 112:
To manually add IP to the jail (for testing or other reasons), use the banip command '''fail2ban-client set JAILNAME banip IPADDRESS'''.
To manually add IP to the jail (for testing or other reasons), use the banip command '''fail2ban-client set JAILNAME banip IPADDRESS'''.
  fail2ban-client set ssh-iptables banip 22.33.44.55
  fail2ban-client set ssh-iptables banip 22.33.44.55
* To unblock IP from fail2ban chain, use command '''fail2ban-client set JAILNAMEHERE unbanip IPADDRESS'''. It is important to understand that JAILNAME is not the same as fail2ban chain name in iptbales -L output. In all fail2ban jails included in default MOR installation, jail name is the same as jail definition, so you need only remove f2b from chain name. In other words, if IP 12.23.44.55 is blocked under iptables chain '''f2b-ssh-iptables''', then JAILNAME will be '''ssh-iptables'''
fail2ban-client set ssh-iptables unbanip 12.23.44.55
'''Important''' If IP is blocked by fail2ban and you will unblock IP using manual iptables commands, after fail2ban restart such IP will be blocked again. To permanently unblock IP, use command above.
== Check active jails ==
[root@node01 ~]# fail2ban-client status
Status
|- Number of jail:      7
`- Jail list:  ast-cli-attack, ast-hgc-200, asterisk-iptables, asterisk-manager, mor_api, mor_ddos, ssh-iptables
[root@node01 ~]#
<br><br>
To unblock IP from fail2ban chain, use command fail2ban-client set JAILNAMEHERE unbanip IPADDRESS. It is important to understand that JAILNAME is not the same as fail2ban chain name in iptbales -L output. In all fail2ban jails included in default MOR installation, jail name is the same as jail definition, so you need only remove f2b from chain name. In other words, if IP 12.23.44.55 is blocked under iptables chain f2b-ssh-iptables, then JAILNAME will be ssh-iptables
<br><br>
== See also ==

Revision as of 08:11, 5 September 2025

Description

In recent MOR X18 versions, Fail2ban has been reworked. Two main differences:

  • MOR jails are configured in jail.local, system's global jail.conf is left untouched
  • Fail2ban default chain changed to MOR-FAIL2BAN-JUMP. Now, Fail2ban adds chains to MOR-FAIL2BAN-JUMP, and not directly to the INPUT chain.



How to modify MOR jails

  • /etc/fail2ban/jail.conf contains global fail2ban configuration that is included in fail2ban package, we should not change anything here
  • /etc/fail2ban/jail.local contains MOR jails. If this is modified manually, it can be overwritten by the MOR update

This is the order in which fail2ban loads jail configurations from /etc/fail2ban/ directory

  • jail.conf
  • jail.d/*.conf (in alphabetical order)
  • jail.local
  • jail.d/*.local (in alphabetical order).

So to change the configuration of MOR jail, we should create a .local file in /etc/fail2ban/jail.d



Example 1

The asterisk-iptables jail bans an IP address if it attempts to register several times with an incorrect password. By default, IP is banned for all ports. Let's say we want to block only access to ports 5060,5061,5065

1. Create a file /etc/fail2ban/jail.d/asterisk-iptables.local 2. Add such contents in the file: 

[asterisk-iptables]
port = 5060,5061,5065
banaction = iptables[type=multiport]

3. Restart fail2ban 

systemctl restart fail2ban

We can observe that before the changes, all ports were checked against the f2b-asterisk-iptables chain 

Chain MOR-FAIL2BAN-JUMP (1 references)
target     prot opt source               destination         
f2b-asterisk-iptables  6    --  0.0.0.0/0            0.0.0.0/0

After changes, only ports 5060,5061,5065 are blocked 

Chain MOR-FAIL2BAN-JUMP (1 references)
target     prot opt source               destination         
f2b-asterisk-iptables  6    --  0.0.0.0/0            0.0.0.0/0            multiport dports 5060,5061,5065



Example 2

SSH jail (ssh-iptables) blocks the IP permanently after 3 incorrect password attempts. Let's say we want to block an IP after 5 attempts and only for 15 minutes.

1. Create a file /etc/fail2ban/jail.d/ssh-iptables.local 2. Add such contents in the file: 

[ssh-iptables]
maxretry = 5
bantime = 900

3. Restart fail2ban 

systemctl restart fail2ban



Manage Fail2ban jails/ips



List active jails

To list active jails, use the command fail2ban-client status 

[root@node01 ~]# fail2ban-client status
Status
|- Number of jail:      7
`- Jail list:   ast-cli-attack, ast-hgc-200, asterisk-iptables, asterisk-manager, mor_api, mor_ddos, ssh-iptables
[root@node01 ~]#

Important notes:

  • Jails in iptables will have f2b- prefix, for example ssh-iptables jail will correspond to f2b-ssh-iptables' chain
  • Iptables chains for jails are created dynamically, after the first IP is blocked for a specific jail. If no IP is blocked, a chain will not exist in iptables. However, if IP was blocked, and later ban expired (or the IP was manually removed), the chain will remain



Get more information about the jail

To list more information for specific jails, use fail2ban-client status JAILNAME 

[root@node01 ~]# fail2ban-client status ssh-iptables
Status for the jail: ssh-iptables
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/log/secure
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   12.23.44.55

To check banned IPs manually in iptables, use iptables -n -L f2b-JAILNANE 

[root@node01 ~]# iptables -n -L f2b-ssh-iptables
Chain f2b-ssh-iptables (1 references)
target     prot opt source               destination         
REJECT     0    --  12.23.44.55          0.0.0.0/0            reject-with icmp-port-unreachable
RETURN     0    --  0.0.0.0/0            0.0.0.0/0           
[root@node01 ~]#



Manually unblock the IP from the jail

To unblock IP from the fail2ban chain, use the command fail2ban-client set JAILNAME unbanip IPADDRESS. 

fail2ban-client set ssh-iptables unbanip 12.23.44.55

JAILNAME is the name of the jail without f2b- prefix, so if IP is blocked in iptables in f2b-ssh-iptables, we will use jailname without f2b- prefix ssh-iptables

IPs blocked by fail2ban can also be unblocked from the GUI Blocked IPs menu.

Important If IP is blocked by fail2ban and you unblock IP using manual iptables commands, after fail2ban restart, such IP will be blocked again. To permanently unblock an IP, use the methods mentioned above.



Manually block the IP to the jail

To manually add IP to the jail (for testing or other reasons), use the banip command fail2ban-client set JAILNAME banip IPADDRESS. 

fail2ban-client set ssh-iptables banip 22.33.44.55
Retrieved from "https://wiki.kolmisoft.com/index.php?title=Fail2Ban_on_X18&oldid=30470"