Fail2ban bug or annoyance or feature?

powerontech

powerontech

Guru
Joined
Feb 18, 2008
Messages
98
Reaction score
0
Recently got up to speed on fail2ban and iptables. Seems like a simple and effective solution to the script kiddies.

If you have the asterisk-iptables or even just the ssh-iptables enabled (for example) it writes those rules (user defined chain) to iptables in memory on boot up. So far so good. Now if you save your iptables in the default way "service iptables save" or "iptables-save > /etc/sysconfig/iptables" it writes the current config to the default file including the fail2ban added rules.

Now if you reboot you get the same rules written to iptables in memory twice. Doing an 'iptables -L' confirms this.

Is that how it is supposed to work or do I not understand something?

Seems to me this is a bug. Shouldn't there be a check in /etc/fail2ban/action.d/iptables.conf to check for duplicate fail2ban entries before adding the fail2ban entries into iptables again? I see that it does remove the entries if you do a stop action on fail2ban but you would need to do that before you save iptables to a file which is just one more thing to be aware of.

If we are expected to understand this that is fine. Just seems a bit crude IMHO and an easy mistake to make. Especially at 4am on 10cups of coffee :ack2:.
 
By default, fail2ban blocks are imposed for 90 minutes and then removed. You shouldn't have to touch IPtables for this to work transparently. Once you start "improving" fail2ban and iptables, then you're (on your own by) designing a different security model than the one we've implemented.
 
Any chance of making that 90 minutes user-configurable? That seems a bit too short to be truly effective security.
 
wardmundy said:
By default, fail2ban blocks are imposed for 90 minutes and then removed. You shouldn't have to touch IPtables for this to work transparently. Once you start "improving" fail2ban and iptables, then you're (on your own by) designing a different security model than the one we've implemented.
Click to expand...

I don't think you understand what I am trying to say. I am implementing fail2ban 100% the way it is supposed to be implemented. I do not deviate at all.

However, it conflicts with the iptables configuration if iptables are saved while fail2ban is running.

Are we talking about the same piece of software? Is fail2ban a pbxinaflash/nerdvittles thing or did you make your own customized version or something?

I am talking about this:
http://www.fail2ban.org/wiki/index.php/Main_Page

Implimented like this:
http://www.voip-info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk
 
fail2ban and iptables are both open source projects. We've implemented both of them. Our design is not intended to support saving iptables on the fly. You need to modify the iptables config file (/etc/sysconfig/iptables) and insert the rules you need. Then restart iptables. Otherwise, you'll break the relationship between the two applications as we have implemented them.

P.S. This recommendation is made on the assumption that you know exactly what you're doing and are willing to take full responsibility for the future security of your system. We've built what we believe is a very secure system. But, of course, we provide the same fine warranties as Microsoft and Apple, i.e. NONE.
 
I never said anything about security or anything like that. Not sure why you seem to be getting all defensive.

I think I have my answer so I'm off to figure out the script changes needed:beatdeadhorse5: myself.
 
Hi

I'm more familiar with Ossec that Fail2Ban, but operation and overall effect is similar, just executed in a slightly different way.

So to paraphrase your problem, what you are saying is that if you make make a change to the firewall, and there happen to be some fail2ban produced iptables in place, then you do iptables save, as the fail2ban produced are in already memory, but not saved permanently, the save makes those rules permanent?

Is this statement correct.

Joe
 
jroper said:
Hi

I'm more familiar with Ossec that Fail2Ban, but operation and overall effect is similar, just executed in a slightly different way.

So to paraphrase your problem, what you are saying is that if you make make a change to the firewall, and there happen to be some fail2ban produced iptables in place, then you do iptables save, as the fail2ban produced are in already memory, but not saved permanently, the save makes those rules permanent?

Is this statement correct.

Joe
Click to expand...

More or less. Right now the right hand does not know or care what the left hand is doing and visa versa.

So Iptables does it's thing and Fail2ban does it's thing but without mutual awareness there is a potential for problems.

I am looking into it how I can add a few lines to the fail2ban start script to check for existing entries before adding duplicates. I think that would do the trick.
 
You must log in or register to reply here.

Members online

Total: 36 (members: 2, guests: 34)

Latest Posts

Forum statistics

Threads
26,688
Messages
174,412
Members
20,257
Latest member
Dempan
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Verify your Email

Check your inbox!

We’ve sent you an email. Click on the button in the email body to verify your email address – (if you can not find it, check your spam folder).

Upon verification you will be directed to the 3CX setup wizard.

Back
Top