[opensuse-factory] fail2ban 0.9.2 for openSUSE and SLE distributions
Dear all! Finally I have prepared the long-requested 0.9.x version for fail2ban. With version 0.9 many things changed in fail2ban: It supports systemd logging and improves configuration a lot. It would be great if some of you could test the versions I have packaged in http://download.opensuse.org/repositories/home:/weberho:/branches:/security/ and give some feedback. Please review all your configurations; I'll highly recommend to have a look at the changelog at https://github.com/fail2ban/fail2ban/blob/master/ChangeLog If there are no objections, I'd updated the security: repository next week. Best regards, Johannes -- Johannes Weberhofer Weberhofer GmbH, Austria, Vienna -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Fri, May 8, 2015 at 3:11 PM, Johannes Weberhofer <jweberhofer@weberhofer.at> wrote:
Johannes, I thought I'd give fail2ban a try. I haven't used it much before so I'm a novice. First I used a very simple jail.local file and it seems to work: == [DEFAULT] ignoreip = 127.0.0.1/8 <a_few_of_my_known_IPs> destemail = Greg.Freemyer@gmail.com [sshd] enabled = true [sshd-ddos] enabled = true == But I wanted to add a permanent ban for repeat SSH offenders. I found a blog post with a recipe: http://stuffphilwrites.com/2013/03/permanently-ban-repeat-offenders-fail2ban... Following that 2 year old recipe doesn't seem to work with v0.9 Do you know of one that does? fyi: Here's the 2-year old recipe from the blog post Add this to jail.local ================================= [ssh-repeater] enabled = true filter = sshd action = iptables-repeater[name=ssh] sendmail-whois[name=SSH-repeater, dest=root, sender=root, sendername="Fail2Ban"] logpath = /var/log/messages maxretry = 21 findtime = 31536000 bantime = 31536000 ================================== Create a file /etc/fail2ban/action.d/iptables-repeater.conf with content: =================================== # Fail2ban configuration file # # Author: Phil Hagen <phil@identityvector.com> # [Definition] # Option: actionstart # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # actionstart = iptables -N fail2ban-REPEAT-<name> iptables -A fail2ban-REPEAT-<name> -j RETURN iptables -I INPUT -j fail2ban-REPEAT-<name> # set up from the static file cat /etc/fail2ban/ip.blocklist.<name> |grep -v ^\s*#|awk '{print $1}' | while read IP; do iptables -I fail2ban-REPEAT-<name> 1 -s $IP -j DROP; done # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # actionstop = iptables -D INPUT -j fail2ban-REPEAT-<name> iptables -F fail2ban-REPEAT-<name> iptables -X fail2ban-REPEAT-<name> # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # actioncheck = iptables -n -L INPUT | grep -q fail2ban-REPEAT-<name> # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: <ip> IP address # <failures> number of failures # <time> unix timestamp of the ban time # Values: CMD # actionban = iptables -I fail2ban-REPEAT-<name> 1 -s <ip> -j DROP # also put into the static file to re-populate after a restart ! grep -Fq <ip> /etc/fail2ban/ip.blocklist.<name> && echo "<ip> # fail2ban/$( date '+%%Y-%%m-%%d %%T' ): auto-add for repeat offender" >> /etc/fail2ban/ip.blocklist.<name> # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: <ip> IP address # <failures> number of failures # <time> unix timestamp of the ban time # Values: CMD # actionunban = /bin/true [Init] # Defaut name of the chain # name = REPEAT ===================================== Thanks Greg -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Dear Greg, sorry for the late response, I didn't see you post earlier. Regarding your issue, I'm seeing the same problem with the 0.8 and 0.9 version, too: https://github.com/fail2ban/fail2ban/issues/1020 . Can you check if fail2ban bans the IP-addresses when you open vi and write the file? I think, there is something wrong with fail2ban. Best regards, Johannes Am 21.05.15 um 00:47 schrieb Greg Freemyer:
-- Johannes Weberhofer Weberhofer GmbH, Austria, Vienna -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wed, May 27, 2015 at 12:47 AM, Johannes Weberhofer <jweberhofer@weberhofer.at> wrote:
Johannes When a ban triggers it is updating my iptables: Chain f2b-ssh-repeater (1 references) target prot opt source destination REJECT all -- 58.218.205.83 anywhere reject-with icmp-port-unreachable REJECT all -- 60.8.151.51 anywhere reject-with icmp-port-unreachable REJECT all -- 58.218.211.155 anywhere reject-with icmp-port-unreachable etc. It is also updating my permanent block file: # cat ip.blocklist.ssh 58.218.204.239 # fail2ban/2015-05-20 14:17:51: auto-add for repeat offender 58.218.199.49 # fail2ban/2015-05-20 17:27:17: auto-add for repeat offender 222.186.21.136 # fail2ban/2015-05-21 04:51:17: auto-add for repeat offender etc. My issue is that on fail2ban startup parsing the ip.blocklist.ssh file seems to fail. Then fail2ban runs through all my logs and re-bans the bothersome IPs based on the historical logs. I then get an email about each one. I have about 30 IPs in the blocklist so I get 30 emails generated via "systemctl restart fail2ban.service" The workaround for the emails is to turn off email notification for repeat ssh attack detection. But that just ignores the real bug. Greg -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Fri, May 8, 2015 at 3:11 PM, Johannes Weberhofer <jweberhofer@weberhofer.at> wrote:
Johannes, I thought I'd give fail2ban a try. I haven't used it much before so I'm a novice. First I used a very simple jail.local file and it seems to work: == [DEFAULT] ignoreip = 127.0.0.1/8 <a_few_of_my_known_IPs> destemail = Greg.Freemyer@gmail.com [sshd] enabled = true [sshd-ddos] enabled = true == But I wanted to add a permanent ban for repeat SSH offenders. I found a blog post with a recipe: http://stuffphilwrites.com/2013/03/permanently-ban-repeat-offenders-fail2ban... Following that 2 year old recipe doesn't seem to work with v0.9 Do you know of one that does? fyi: Here's the 2-year old recipe from the blog post Add this to jail.local ================================= [ssh-repeater] enabled = true filter = sshd action = iptables-repeater[name=ssh] sendmail-whois[name=SSH-repeater, dest=root, sender=root, sendername="Fail2Ban"] logpath = /var/log/messages maxretry = 21 findtime = 31536000 bantime = 31536000 ================================== Create a file /etc/fail2ban/action.d/iptables-repeater.conf with content: =================================== # Fail2ban configuration file # # Author: Phil Hagen <phil@identityvector.com> # [Definition] # Option: actionstart # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # actionstart = iptables -N fail2ban-REPEAT-<name> iptables -A fail2ban-REPEAT-<name> -j RETURN iptables -I INPUT -j fail2ban-REPEAT-<name> # set up from the static file cat /etc/fail2ban/ip.blocklist.<name> |grep -v ^\s*#|awk '{print $1}' | while read IP; do iptables -I fail2ban-REPEAT-<name> 1 -s $IP -j DROP; done # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # actionstop = iptables -D INPUT -j fail2ban-REPEAT-<name> iptables -F fail2ban-REPEAT-<name> iptables -X fail2ban-REPEAT-<name> # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # actioncheck = iptables -n -L INPUT | grep -q fail2ban-REPEAT-<name> # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: <ip> IP address # <failures> number of failures # <time> unix timestamp of the ban time # Values: CMD # actionban = iptables -I fail2ban-REPEAT-<name> 1 -s <ip> -j DROP # also put into the static file to re-populate after a restart ! grep -Fq <ip> /etc/fail2ban/ip.blocklist.<name> && echo "<ip> # fail2ban/$( date '+%%Y-%%m-%%d %%T' ): auto-add for repeat offender" >> /etc/fail2ban/ip.blocklist.<name> # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: <ip> IP address # <failures> number of failures # <time> unix timestamp of the ban time # Values: CMD # actionunban = /bin/true [Init] # Defaut name of the chain # name = REPEAT ===================================== Thanks Greg -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Dear Greg, sorry for the late response, I didn't see you post earlier. Regarding your issue, I'm seeing the same problem with the 0.8 and 0.9 version, too: https://github.com/fail2ban/fail2ban/issues/1020 . Can you check if fail2ban bans the IP-addresses when you open vi and write the file? I think, there is something wrong with fail2ban. Best regards, Johannes Am 21.05.15 um 00:47 schrieb Greg Freemyer:
-- Johannes Weberhofer Weberhofer GmbH, Austria, Vienna -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wed, May 27, 2015 at 12:47 AM, Johannes Weberhofer <jweberhofer@weberhofer.at> wrote:
Johannes When a ban triggers it is updating my iptables: Chain f2b-ssh-repeater (1 references) target prot opt source destination REJECT all -- 58.218.205.83 anywhere reject-with icmp-port-unreachable REJECT all -- 60.8.151.51 anywhere reject-with icmp-port-unreachable REJECT all -- 58.218.211.155 anywhere reject-with icmp-port-unreachable etc. It is also updating my permanent block file: # cat ip.blocklist.ssh 58.218.204.239 # fail2ban/2015-05-20 14:17:51: auto-add for repeat offender 58.218.199.49 # fail2ban/2015-05-20 17:27:17: auto-add for repeat offender 222.186.21.136 # fail2ban/2015-05-21 04:51:17: auto-add for repeat offender etc. My issue is that on fail2ban startup parsing the ip.blocklist.ssh file seems to fail. Then fail2ban runs through all my logs and re-bans the bothersome IPs based on the historical logs. I then get an email about each one. I have about 30 IPs in the blocklist so I get 30 emails generated via "systemctl restart fail2ban.service" The workaround for the emails is to turn off email notification for repeat ssh attack detection. But that just ignores the real bug. Greg -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (2)
-
Greg Freemyer
-
Johannes Weberhofer