Hi,
this may or may not be related to this (https://www.virtualmin.com/node/35443) similar thread, but as it's a bit old I'm starting a new one.
I have the following fail2ban jails activated:
When I look at Webmin's iptables page, I can only see these (see attached):
However, when I check iptables -L -n
I can see:
Chain f2b-webmin (0 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
which does not appear in Webmin.
I'm a bit unclear about the comment here (https://www.virtualmin.com/node/35443#comment-140998) that "Fail2ban dynamically adds/updates rules, whereas, by default, Webmin operates on the iptables save file." Are we saying that the chains that appear in Webmin's iptables have been saved to file, but the others have not?
Another, possibly related issue, is that I see two entries for SSH and I'm unsure why:
Chain f2b-SSH (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
I'm probably missing something basic. Could someone please help?
Thanks
Post the result of "iptables -L".
- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.
Hi,
here's the output.
I've condensed chain "badasses"; it's basically a bunch of annoying ip addresses that I permanently block. tcp dpts is the webmin port.
Chain INPUT (policy ACCEPT)
target prot opt source destination
badasses all -- anywhere anywhere
fail2ban-dovecot tcp -- anywhere anywhere multiport dports pop3,pop3s,imap,imaps,submission,urd,sieve
fail2ban-SSH tcp -- anywhere anywhere tcp dpt:xxxx
fail2ban-dovecot-auth tcp -- anywhere anywhere multiport dports pop3,pop3s,imap,imaps,submission,urd,sieve
ACCEPT tcp -- anywhere anywhere tcp dpts:xxxx:xxxx
DROP udp -- anywhere anywhere udp dpt:ftp-data
DROP udp -- anywhere anywhere udp dpt:ftp
ACCEPT udp -- anywhere anywhere udp dpt:domain
DROP tcp -- anywhere anywhere tcp dpt:dnp
DROP tcp -- anywhere anywhere tcp dpt:ndmp
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:http
DROP tcp -- anywhere anywhere tcp dpt:imaps
DROP tcp -- anywhere anywhere tcp dpt:imap
DROP tcp -- anywhere anywhere tcp dpt:pop3s
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
DROP tcp -- anywhere anywhere tcp dpt:ftp-data
DROP tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:submission
DROP tcp -- anywhere anywhere tcp dpt:smtp
DROP tcp -- anywhere anywhere tcp dpt:ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain badasses (1 references)
target prot opt source destination
DROP all -- x.x.x.x anywhere
RETURN all -- anywhere anywhere
Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-dovecot (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-dovecot-auth (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
ssh to your server and stop fail2ban
go to Webmin - Network - iptables - delete all records related to fail2ban - save - restart iptables (or do this over ssh, no difference)
ssh back to your server and check jail.local if you set everything correctly
start fail2ban
now use "ipatbles -L -n" and see if everything is ok
Dont save fail2ban rules in iptables because this is not how is supposed to work. Fail2ban have his own settings and after each server restart it will put back all the rules previously set including already banned IP's.
I've condensed chain "badasses"; it's basically a bunch of annoying ip addresses that I permanently block. tcp dpts is the webmin port. Another thing, watch out how many IP are saved with iptables (doesnt apply for fail2ban banned IP's) because it will slow down your websites especially TTFB values. If you really need to permanently ban a lot of IP's, like whole country blocks, then you should use ipset (ipset.netfilter.org) but you can install only on full virtualization like KVM or Xen HVM, so no OpenVZ or Xen PV.
- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.
Thanks for your help. Someone else had set this up for me, but at least I now know how to do it in the future.
So here's the output of
iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-dovecot-auth tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 110,995,143,993,587,465,4190
f2b-dovecot tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 110,995,143,993,587,465,4190
f2b-sasl tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
f2b-SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:xxxx
badasses all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:xxxx:xxxx
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:20
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:21
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20000
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:993
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:143
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:995
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:587
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain badasses (1 references)
target prot opt source destination
DROP all -- x.x.x.x 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain f2b-SSH (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain f2b-dovecot (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain f2b-dovecot-auth (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain f2b-sasl (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain f2b-webmin (0 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
I had a couple of follow up questions:
(1) I've activated postfix-tcpwrapper but I can't seem to see it in the output. Should it be there?
(2) I can see f2b-webmin at the bottom, but I can't see it at the top of the output. Should it be there?
(3) Within /etc/fail2ban I can also see a file called jail.conf.rpmnew. I think this relates to version 9 of fail2ban. Do I need to do anything? Does it overwrite jail.conf?
Thanks again
Yes but i think new version doesnt come with postfix-tcpwrapper and i think everything is handled with postfix
Yes but in new version is named "f2b-webmin-auth".
The file ****.rpmnew means you updated some software but you had changed old files so to no break everything the update will mark all those (new) files as ****.rpmnew. First you should never use jail.conf but rather jail.local. There is a lot of information on google just look around. For fail2ban you need to use new file versions and not doing this it could relate to your problems. Check inside other folders in fail2ban and if there is more ****.rpmnew files and you should use that one.
Answers in 1 and 2 are based on Centos 7 e.g. OS i'm using so i'm not sure if others have this different but i think it should be the same.
- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.
Thanks again.
Amazingly I paid someone to help me set up fail2ban but of course you are right, all modifications should go into jail.local. I can now see why the file jail.conf.rpmnew was created.
Should I therefore delete / rename the existing jail.conf file and rename jail.conf.rpmnew into jail.conf so that fail2ban correctly picks it up?
Thanks
Dont delete any old file for now just rename *.old or make a local copy and then delete. Once you check everything then you can delete old files.
- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.
Hi,
I renamed the jail.conf file to jail.conf.old and jail.conf.rpmnew to jail.conf. I had to rename some of the active jails to take account of version 0.9 naming but I restarted fail2ban and I did not see any error messages so I presume it works.
Just to make 100% sure that I've set it up correctly:
In my jail.local, I did not define the port and logpath. So for instance, the default options for sshd are:
port = ssh
logpath = %(sshd_log)s
If I moved the ssh port to another non-standard port, do I need to set it manually or will it pick it up automatically from sshd_config?
Similarly, do I need to tell it that my /var/log/postfix.log is actually located in /var/log/maillog? Backend is set to "auto" and I have not changed that in my .local file.
Thanks
Fail2ban after version 0.9 comes with all jails deactivated by default so in jail.local just activate ones what you want/need. I would suggest to copy everything from jail.conf up to first jail rule into jail.local, made changes based on what you need and then proceed with activating the wanted jails (in jail.local).
I would suggest to change "%(sshd_log)s" to standard path as i notice some jails have a little problem to check the log files. In theory it should work but there is nothing wrong in using full path to log files for example:
[sshd]
enabled = true
port = ssh
logpath = /var/log/secure
Fail2ban will read the log files so for example whatever port you are using for SSH doesnt matter if the log file is working.
Check this topic http://www.virtualmin.com/node/38305.
- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.
Thanks, all good.
Having checked, it adds the logs correctly (e.g.
Added logfile = /var/log/secure
Added logfile = /var/log/maillog
Added logfile = /var/log/httpd/error_log
Added logfile = /var/log/httpd/ssl_error_log
The only one it complained about was
[mysqld-auth]
but after changinglogpath = %(mysql_log)s
tologpath = /var/log/mysqld.log
it worked.Thanks for all your help - appreciated.