fail2ban compliant ?

Bugs in eFa 4
Post Reply
tesme33
Posts: 36
Joined: 22 Mar 2015 10:57
Location: Germany/Munich area

fail2ban compliant ?

Post by tesme33 » 05 Jul 2019 05:36

Hi
did anybody try fail2ban with EFA4 already ?

thx

warlord
Posts: 19
Joined: 16 May 2019 21:21

Re: fail2ban compliant ?

Post by warlord » 10 Jul 2019 00:33

What do you mean by "try fail2ban"?
I am running fail2ban on my eFa test server, and it is watching e.g. ssh logs and banning people.

Alleyviper
Posts: 75
Joined: 16 Oct 2018 05:55
Location: Portugal

Re: fail2ban compliant ?

Post by Alleyviper » 25 Jul 2019 12:45

Hi there,

Fail2ban is always compliant :) you install the package and define the rules and it Will analyze system logs and do the blocking :) what we can do is improve and add fail2ban to efa menu, including add and remove ips do block

User avatar
pdwalker
Posts: 1297
Joined: 18 Mar 2015 09:16

Re: fail2ban compliant ?

Post by pdwalker » 19 May 2020 05:30

maybe a better question would be - how do we configure fail2ban to notice the proper messages from our maillog and block all those ips at that are constantly trying to delivery spam, or brute force checking email addresses?

out of the box fail2ban doesn't do anything with postfix.

tesme33
Posts: 36
Joined: 22 Mar 2015 10:57
Location: Germany/Munich area

Re: fail2ban compliant ?

Post by tesme33 » 24 May 2020 06:03

Alleyviper wrote:
25 Jul 2019 12:45
Hi there,

Fail2ban is always compliant :) you install the package and define the rules and it Will analyze system logs and do the blocking :) what we can do is improve and add fail2ban to efa menu, including add and remove ips do block
Hi
Sorry to come back so late.

First it looks like that fail2 ban is not compliant out of the box.
How to check

Code: Select all

[root@efa4 ~]# fail2ban-client show sshd
2020-05-24 07:48:16,682 fail2ban                [19670]: ERROR   NOK: ('Invalid command',)
Invalid command
The table itself is filled:

Code: Select all

[root@efa4 fail2ban]# ipset list
Name: f2b-sshd
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536 timeout 6000
Size in memory: 76536
References: 1
Number of entries: 20
Members:
14.192.17.150 timeout 5413
222.186.15.10 timeout 2811
222.186.30.218 timeout 4409
222.186.30.112 timeout 1814
222.186.190.14 timeout 475
157.230.153.75 timeout 1214
190.60.200.126 timeout 1092
107.170.20.247 timeout 987
222.186.175.23 timeout 2138
106.12.163.87 timeout 1706
103.207.36.223 timeout 3242
222.186.31.166 timeout 3766
222.186.180.130 timeout 4082
222.186.30.167 timeout 3444
223.247.153.244 timeout 1542
61.160.52.58 timeout 273
222.186.15.115 timeout 4746
111.229.33.175 timeout 2010
222.186.42.136 timeout 1146
222.186.42.7 timeout 5066
[root@efa4 fail2ban]#
Some infos can be found here: https://forums.centos.org/viewtopic.php?t=60586




Now digging around how to solve.

User avatar
pdwalker
Posts: 1297
Joined: 18 Mar 2015 09:16

Re: fail2ban compliant ?

Post by pdwalker » 24 May 2020 15:35

My version of fail2ban-client does not have a "show" subcommand. Are you sure that commadn is correct? The error message you are getting also suggests that it doesn't support the "show" subcommand.

Try this instead:

Code: Select all

# dump the configuration so we can see what is really enabled
$ fail2ban-client -d

# show the status of the fail2ban
$ fail2ban-client status

# I have the postfix-sasl jail configured only.
$ fail2ban-client status postfix-sasl

tesme33
Posts: 36
Joined: 22 Mar 2015 10:57
Location: Germany/Munich area

Re: fail2ban compliant ?

Post by tesme33 » 24 May 2020 22:08

Hi
looks like you are right. The show command is also not present im my fail2ban-client. Dont ask me where i saw this.

Code: Select all

[root@efa4 ~]# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed:	18
|  |- Total failed:	79506
|  `- Journal matches:	_SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned:	43
   |- Total banned:	6769
   `- Banned IP list:	218.4.163.146 118.27.9.244 138.36.102.134 106.12.197.52 222.186.15.158 188.131.173.220 222.186.15.115 222.186.30.167 200.205.188.74 64.225.25.59 5.196.63.250 209.141.37.175 187.155.200.84 222.186.30.218 222.186.42.155 119.29.26.222 45.114.85.82 68.183.110.49 222.186.30.76 222.186.30.35 51.38.128.30 152.136.144.86 168.232.131.62 92.154.121.54 49.235.39.217 128.199.85.251 203.176.84.54 117.50.13.170 139.198.5.79 222.186.180.142 193.38.139.103 51.89.68.141 194.61.55.164 206.81.14.48 106.52.24.215 222.186.42.136 51.75.78.128 46.140.151.66 222.186.180.130 111.230.248.93 159.89.157.75 95.84.146.201 222.186.30.57
[root@efa4 ~]# fail2ban-client status
Status
|- Number of jail:	1
`- Jail list:	sshd
[root@efa4 ~]# fail2ban-client get sshd actions
The jail sshd has the following actions:
firewallcmd-ipset
and the rule is in my iptables

Code: Select all

REJECT     tcp  --  anywhere             anywhere             multiport dports ssh match-set f2b-sshd src reject-with icmp-port-unreachable
Somehow i was to fast today in the monring in judging.

Sorry

But now looking into my /var/log/maillog i will now also start thinking about a postfix configuration.

Code: Select all

[root@efa4 log]# grep "SASL LOGIN authentication failed" maillog | wc -l
3886
You said you have the postfix jail switched on. Does this help for these issues ?

User avatar
pdwalker
Posts: 1297
Joined: 18 Mar 2015 09:16

Re: fail2ban compliant ?

Post by pdwalker » 25 May 2020 02:21

Hugely!

My server is only accessible via the various mail protocols, so I get lots of failed authentication attempts, and fail2ban now picks them all up.

Since all my mail users are internal, there should be no ssl authentication, except for very rare circumstances. 3 failed attempts in 4 hours? blocked for 48h.

Here is my configuration:

[postfix-sasl]
enabled = true
filter = postfix[mode=auth]
port = smtp,465,submission,imap,imaps,pop3,pop3s
banaction = iptables-multiport
bantime = 48h
maxretry = 3
findtime = 240m
logpath = %(postfix_log)s
backend = %(postfix_backend)s

Post Reply