Forums

nuke
nuke
Offline
Resolved
0 votes
Hello all.
I've had some issues with getting attack detector to work but today I made some changes that finally got the postfix-sasl going and banning problem IPs. I'm not sure if the cyrus-imap and openvpn jails are working correctly as it hasn't blocked anything yet.

Getting this running properly leads me to doing something about the https messages in the daily logwatch email.

Everyday I get "A total of "x" sites probed the server". Some days it is quite a list.

I am running two very basic brochure website using the built in webserver.

I'm trying to figure out how to set up the jails for this. The examples I've found don't look similar to our jail.conf or "clear" specific jails.

Question:
1) Where are these https probed the server messages found in the logs? Are they httpd/error_log , httpd/site1_com_error_log , httpd/site2_com_error_log ?

Couple of questions to the following example from the web.
2) The action below doesn't look anything in our jails. Is the "action = iptables-multiport[name=auth, port="http,https"]" valid?

3) If we have multiple sites and multiple error_log to search, can they be added in the logpath line or are jails required for each website?

4) When our logs rotate, are the fail2ban IPs automatically cleared?

5) I can't find the banned IPs when I use "iptables -n -L" The banaction is "banaction = iptables-ipset-proto6[name=postfix-sasl]". Where are the blocked IP addresses shown?
"fail2ban-client status postfix-sasl" shows 6 IPs blocked.

Thanks in advance.

Static IP address for the sample web address (192.0.2.0) in this example:

# detect password authentication failures
[apache]
enabled = true
filter = apache-auth
action = iptables-multiport[name=auth, port="http,https"]
logpath = /var/log/httpd/fail2ban_log
bantime = 3600
maxretry = 3
ignoreip = 192.0.2.0

# detect spammer robots crawling email addresses
[apache-badbots]
enabled = true
filter = apache-badbots
action = iptables-multiport[name=badbots, port="http,https"]
logpath = /var/log/httpd/fail2ban_log
bantime = 3600
maxretry = 1
ignoreip = 192.0.2.0

# detect potential search for exploits
[apache-noscript]
enabled = true
filter = apache-noscript
action = iptables-multiport[name=noscript, port="http,https"]
logpath = /var/log/httpd/fail2ban_log
bantime = 3600
maxretry = 6
ignoreip = 192.0.2.0

# detect Apache overflow attempts
[apache-overflows]
enabled = true
filter = apache-overflows
action = iptables-multiport[name=overflows, port="http,https"]
logpath = /var/log/httpd/fail2ban_log
bantime = 3600
maxretry = 2
ignoreip = 192.0.2.0
Saturday, March 21 2020, 08:02 PM
Share this post:
Responses (5)
  • Accepted Answer

    Monday, June 27 2022, 09:39 AM - #Permalink
    Resolved
    0 votes
    F2b comes with a whole stack of pre-defined jails. Have a look in /etc/fail2ban/jail.conf. If you want to enable any, it is best to either do it in /etc/fail2ban/jail.local or in a file in /etc/fail2ban/jail.d. Any values specified in those files would override anything in /etc/fail2ban/jail.conf. At a minimum you just need to override the `enabled = false` for the jail. F2b can be hard to understand as it is massively hierarchical, so in this case it is a global setting (false) but it can also be set the individual jail level. Values in .local files override values in .conf files and good luck to you trying to work out some of the log paths!

    I have very few home-made jails. I have one for banning entire /24 subnets for qq.com, dynamic.163.data.com and mari-el.ru.com as I was getting a huge amount of spam from dynamic IP's belonging to these ISPs. I think it has stopped or quietened down but I keep the jail going.

    I have one which immediately bans any IP trying to use me as a mail relay as all my valid relaying is authenticated on port 587.

    I have two which use the same filters picking up people who continually connect to the mail server then disappear leaving "lost connection from ...." messages in the logs. One is for slow uchipping away and one is for faster bursts of data but they massively overlap.

    I have a home made one for apache which picks up on 400/404/405 responses which are people probing for invalid paths, but it is aggressive and kills you if you make a typo in the path.

    Otherwise I use the built-in jails.

    There is no way I've seen of protecting the webconfig as it is. This is because there is no webconfig logging of authentication failures which shows the IP of the host.
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, June 26 2022, 06:43 AM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    I suspect we have the same source for out openvpn filters, but I've tweaked mine differently,



    Indeed. The source is the same ;)
    Thanks for sharing your tweaks.

    Do you more filters which you can share ?
    I Saw in the screenshot for example Apache and postfix filters :)
    Is there a filter for the ClearOS Webconfig?
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, June 25 2022, 06:09 PM - #Permalink
    Resolved
    0 votes
    I suspect we have the same source for out openvpn filters, but I've tweaked mine differently,

    /etc/fail2ban/jail.d/clearos-openvpn.conf:
    # Fail2Ban configuration for OpenVPN from https://www.fail2ban.org/wiki/index.php/HOWTO_fail2ban_with_OpenVPN

    [openvpn]
    enabled = true
    port = 1194
    protocol = udp
    filter = openvpn
    logpath = /var/log/openvpn
    maxretry = 3
    bantime = 86400
    findtime = 86400


    /etc/fail2ban/filter.d/openvpn.local:
    # Fail2Ban filter for selected OpenVPN rejections
    # Based on https://www.fail2ban.org/wiki/index.php/HOWTO_fail2ban_with_OpenVPN
    # Modified by NJH to use messages log format which has the date twice.

    [INCLUDES]

    # Read common prefixes. If any customizations available -- read them from
    # common.local
    before = common.conf

    [Definition]

    # Example messages (other matched messages not seen in the testing server's logs):
    # Fri Sep 23 11:55:36 2016 TLS Error: incoming packet authentication failed from [AF_INET]59.90.146.160:51223
    # Thu Aug 25 09:36:02 2016 117.207.115.143:58922 TLS Error: TLS handshake failed

    _daemon = openvpn

    failregex = ^%(__prefix_line)sTLS Error: incoming packet authentication failed from \[AF_INET\]<HOST>:\d+$
    ^%(__prefix_line)s<HOST>:\d+ Connection reset, restarting
    ^%(__prefix_line)s<HOST>:\d+ TLS Auth Error
    ^%(__prefix_line)s<HOST>:\d+ TLS Error: TLS handshake failed$
    ^%(__prefix_line)s<HOST>:\d+ VERIFY ERROR

    ignoreregex =
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, June 25 2022, 01:26 PM - #Permalink
    Resolved
    0 votes
    Hi Nick,

    I see some interesting F2B configs.
    Are you willing to share those files/setups?

    Maybe usefull for others:

    clearos-kopano-webapp.conf
    # Fail2Ban configuration fragment for Kopano Webapp

    [kopano-webapp]
    enabled = true
    port = https
    filter = kopano-webapp-auth
    logpath = %(apache_error_log)s
    maxretry = 2
    bantime = 432000
    findtime = 14400


    kopano-webapp-auth.conf
    # FILE : /etc/fail2ban/filter.d/kopano-webapp-login.conf
    # Fail2Ban configuration file
    [INCLUDES]
    before = apache-common.conf

    [Definition]
    # Option: failregex
    # Notes.: regex to match the password failures messages in the logfile. The
    # host must be matched by a group named "host". The tag "<HOST>" can
    # be used for standard IP/hostname matching and is only an alias for
    # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
    # Values: TEXT
    #

    failregex = ^%(_apache_error_client)s Kopano WebApp user: .+?(?=:): authentication failure at MAPI

    ignoreregex =


    clearos-openvpn.conf
    # Fail2Ban configuration fragment for OpenVPN

    [openvpn]
    enabled = true
    port = 1194
    protocol = udp
    filter = openvpn
    logpath = /var/log/openvpn
    maxretry = 3
    bantime = 432000
    findtime = 14400


    openvpn.conf

    # Fail2Ban filter for selected OpenVPN rejections
    #
    #

    [Definition]

    # Example messages (other matched messages not seen in the testing server's logs):
    # Fri Sep 23 11:55:36 2016 TLS Error: incoming packet authentication failed from [AF_INET]59.90.146.160:51223
    # Thu Aug 25 09:36:02 2016 117.207.115.143:58922 TLS Error: TLS handshake failed

    failregex = ^ TLS Error: incoming packet authentication failed from \[AF_INET\]<HOST>:\d+$
    ^ <HOST>:\d+ Connection reset, restarting
    ^ <HOST>:\d+ TLS Auth Error
    ^ <HOST>:\d+ TLS Error: TLS handshake failed$
    ^ <HOST>:\d+ VERIFY ERROR

    ignoreregex =
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, March 22 2020, 12:03 PM - #Permalink
    Resolved
    0 votes
    You have big couples!
    1 - in the access_logs and error_logs, the site ones and the ssl ones as well, but I think the jails look at all of them
    2 - Your listing looks old. Have a look in /etc/fail2ban/jail.conf. Also, if you have a /etc/fail2ban/jail.conf.rpmnew, please delete /etc/fail2ban/jail.conf and rename /etc/fail2ban/jail.conf.rpmnew to /etc/fail2ban/jail.conf, but you will lose any manual changes you may have made. With the new jail.conf, you will use the default banaction which is specified in jail.local.
    3 - No. Look at the definition of apache_error_log in /etc/fail2ban/paths-fedora.conf
    4 - No. F2b also looks at the rotated logs. IP's are cleared when the bantime is reached.
    5 - Look at the app documentation.

    If you want to enable a jail add a section to /etc/fail2ban/jail.local e.g:
    [apache]
    enabled = true
    Settings in /etc/fail2ban/jail.local override settings in /etc/fail2ban/jail.conf. Or, if you want it to appear in the webconfig, add a configlet to /etc/fail2ban/jail.d. I think the name has to be clearos-something.conf. Unfortunately they won't get a description unless you hack app-base. See my example attached.
    Attachments:
    The reply is currently minimized Show
Your Reply