[SOLVED] Fail2ban not adding rules to Webmin

11 posts / 0 new
Last post
#1 Mon, 11/02/2015 - 17:11
No Expert

[SOLVED] Fail2ban not adding rules to Webmin

Hi,

this may or may not be related to this (https://www.virtualmin.com/node/35443) similar thread, but as it's a bit old I'm starting a new one.

I have the following fail2ban jails activated:

  • ssh-iptables (sshd)
  • sasl-iptables (postfix-sasl)
  • postfix-tcpwrapper (postfix)
  • webmin-auth (webmin-auth)
  • dovecot (dovecot)
  • dovecot-auth (dovecot)

When I look at Webmin's iptables page, I can only see these (see attached):

  • Jump to chain fail2ban-dovecot
  • Jump to chain fail2ban-SSH
  • Jump to chain fail2ban-dovecot-auth

However, when I check iptables -L -n I can see:

Chain f2b-webmin (0 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

which does not appear in Webmin.

I'm a bit unclear about the comment here (https://www.virtualmin.com/node/35443#comment-140998) that "Fail2ban dynamically adds/updates rules, whereas, by default, Webmin operates on the iptables save file." Are we saying that the chains that appear in Webmin's iptables have been saved to file, but the others have not?

Another, possibly related issue, is that I see two entries for SSH and I'm unsure why:

Chain f2b-SSH (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain fail2ban-SSH (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

I'm probably missing something basic. Could someone please help?

Thanks

Mon, 11/02/2015 - 22:27
Diabolico
Diabolico's picture

Post the result of "iptables -L".

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Tue, 11/03/2015 - 15:11
No Expert

Hi,

here's the output.

I've condensed chain "badasses"; it's basically a bunch of annoying ip addresses that I permanently block. tcp dpts is the webmin port.

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
badasses   all  --  anywhere             anywhere
fail2ban-dovecot  tcp  --  anywhere             anywhere            multiport dports pop3,pop3s,imap,imaps,submission,urd,sieve
fail2ban-SSH  tcp  --  anywhere             anywhere            tcp dpt:xxxx
fail2ban-dovecot-auth  tcp  --  anywhere             anywhere            multiport dports pop3,pop3s,imap,imaps,submission,urd,sieve
ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:xxxx:xxxx
DROP       udp  --  anywhere             anywhere            udp dpt:ftp-data
DROP       udp  --  anywhere             anywhere            udp dpt:ftp
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
DROP       tcp  --  anywhere             anywhere            tcp dpt:dnp
DROP       tcp  --  anywhere             anywhere            tcp dpt:ndmp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
DROP       tcp  --  anywhere             anywhere            tcp dpt:imaps
DROP       tcp  --  anywhere             anywhere            tcp dpt:imap
DROP       tcp  --  anywhere             anywhere            tcp dpt:pop3s
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3
DROP       tcp  --  anywhere             anywhere            tcp dpt:ftp-data
DROP       tcp  --  anywhere             anywhere            tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:submission
DROP       tcp  --  anywhere             anywhere            tcp dpt:smtp
DROP       tcp  --  anywhere             anywhere            tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain badasses (1 references)
target     prot opt source               destination
DROP       all  --  x.x.x.x     anywhere
RETURN     all  --  anywhere             anywhere

Chain fail2ban-SSH (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-dovecot (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-dovecot-auth (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
Wed, 11/04/2015 - 06:03
Diabolico
Diabolico's picture
  1. ssh to your server and stop fail2ban

  2. go to Webmin - Network - iptables - delete all records related to fail2ban - save - restart iptables (or do this over ssh, no difference)

  3. ssh back to your server and check jail.local if you set everything correctly

  4. start fail2ban

  5. now use "ipatbles -L -n" and see if everything is ok

Dont save fail2ban rules in iptables because this is not how is supposed to work. Fail2ban have his own settings and after each server restart it will put back all the rules previously set including already banned IP's.

I've condensed chain "badasses"; it's basically a bunch of annoying ip addresses that I permanently block. tcp dpts is the webmin port. Another thing, watch out how many IP are saved with iptables (doesnt apply for fail2ban banned IP's) because it will slow down your websites especially TTFB values. If you really need to permanently ban a lot of IP's, like whole country blocks, then you should use ipset (ipset.netfilter.org) but you can install only on full virtualization like KVM or Xen HVM, so no OpenVZ or Xen PV.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Sat, 11/07/2015 - 17:37
No Expert

Thanks for your help. Someone else had set this up for me, but at least I now know how to do it in the future.

So here's the output of iptables -L -n

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
f2b-dovecot-auth  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 110,995,143,993,587,465,4190
f2b-dovecot  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 110,995,143,993,587,465,4190
f2b-sasl   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25
f2b-SSH    tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:xxxx
badasses   all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpts:xxxx:xxxx
DROP       udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:20
DROP       udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:21
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:20000
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:10000
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:993
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:143
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:995
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:110
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:20
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:21
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:587
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain badasses (1 references)
target     prot opt source               destination
DROP       all  --  x.x.x.x              0.0.0.0/0
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain f2b-SSH (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain f2b-dovecot (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain f2b-dovecot-auth (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain f2b-sasl (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain f2b-webmin (0 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

I had a couple of follow up questions:

(1) I've activated postfix-tcpwrapper but I can't seem to see it in the output. Should it be there?

(2) I can see f2b-webmin at the bottom, but I can't see it at the top of the output. Should it be there?

(3) Within /etc/fail2ban I can also see a file called jail.conf.rpmnew. I think this relates to version 9 of fail2ban. Do I need to do anything? Does it overwrite jail.conf?

Thanks again

Sun, 11/08/2015 - 04:15
Diabolico
Diabolico's picture
  1. Yes but i think new version doesnt come with postfix-tcpwrapper and i think everything is handled with postfix

  2. Yes but in new version is named "f2b-webmin-auth".

  3. The file ****.rpmnew means you updated some software but you had changed old files so to no break everything the update will mark all those (new) files as ****.rpmnew. First you should never use jail.conf but rather jail.local. There is a lot of information on google just look around. For fail2ban you need to use new file versions and not doing this it could relate to your problems. Check inside other folders in fail2ban and if there is more ****.rpmnew files and you should use that one.

Answers in 1 and 2 are based on Centos 7 e.g. OS i'm using so i'm not sure if others have this different but i think it should be the same.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Sun, 11/08/2015 - 05:04
No Expert

Thanks again.

Amazingly I paid someone to help me set up fail2ban but of course you are right, all modifications should go into jail.local. I can now see why the file jail.conf.rpmnew was created.

Should I therefore delete / rename the existing jail.conf file and rename jail.conf.rpmnew into jail.conf so that fail2ban correctly picks it up?

Thanks

Sun, 11/08/2015 - 09:00
Diabolico
Diabolico's picture

Dont delete any old file for now just rename *.old or make a local copy and then delete. Once you check everything then you can delete old files.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Sun, 11/08/2015 - 13:42
No Expert

Hi,

I renamed the jail.conf file to jail.conf.old and jail.conf.rpmnew to jail.conf. I had to rename some of the active jails to take account of version 0.9 naming but I restarted fail2ban and I did not see any error messages so I presume it works.

Just to make 100% sure that I've set it up correctly:

In my jail.local, I did not define the port and logpath. So for instance, the default options for sshd are:

port    = ssh
logpath = %(sshd_log)s

If I moved the ssh port to another non-standard port, do I need to set it manually or will it pick it up automatically from sshd_config?

Similarly, do I need to tell it that my /var/log/postfix.log is actually located in /var/log/maillog? Backend is set to "auto" and I have not changed that in my .local file.

Thanks

Sun, 11/08/2015 - 18:04
Diabolico
Diabolico's picture

Fail2ban after version 0.9 comes with all jails deactivated by default so in jail.local just activate ones what you want/need. I would suggest to copy everything from jail.conf up to first jail rule into jail.local, made changes based on what you need and then proceed with activating the wanted jails (in jail.local).

I would suggest to change "%(sshd_log)s" to standard path as i notice some jails have a little problem to check the log files. In theory it should work but there is nothing wrong in using full path to log files for example:

[sshd]
enabled = true
port    = ssh
logpath = /var/log/secure

Fail2ban will read the log files so for example whatever port you are using for SSH doesnt matter if the log file is working.

Check this topic http://www.virtualmin.com/node/38305.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Mon, 11/09/2015 - 15:31
No Expert

Thanks, all good.

Having checked, it adds the logs correctly (e.g.

Added logfile = /var/log/secure
Added logfile = /var/log/maillog
Added logfile = /var/log/httpd/error_log
Added logfile = /var/log/httpd/ssl_error_log

The only one it complained about was [mysqld-auth] but after changing logpath  = %(mysql_log)s to logpath  = /var/log/mysqld.log it worked.

Thanks for all your help - appreciated.

Topic locked