[[Fail2ban et Firewalld]]
Trace: Samba 4 DC EsupDays10 Fail2ban et Firewalld
Show pagesourceOld revisions
AdminRecent ChangesSitemap

* ancien site

This is an old revision of the document!

Fail2ban et Firewalld

l'objectif initial est de bannir les acces en bruteforce au login frauduleux sur wordpress

helas, l'installation des packages fail2ban et fail2-firewalld ne fonctionne pas par defaut

install

yum install fail2ban fail2ban-firewalld
fail2ban-0.11.2-1.el8.noarch
fail2ban-firewalld-0.11.2-1.el8.noarch

resultat operationel

quand cela marche, on doit voir dans les log fail2ban le “match” de notre regle suivit par un Ban si le maxtry est atteint : 

[root@wmu fail2ban]# tail -f /var/log/fail2ban.log 
2022-06-26 20:30:46,881 fail2ban.actions        [503794]: NOTICE  [wordpress] Ban 139.59.109.241
2022-06-26 20:31:12,698 fail2ban.filter         [503794]: INFO    [wordpress] Found 34.68.4.41 - 2022-06-26 20:31:12
2022-06-26 20:31:13,300 fail2ban.filter         [503794]: INFO    [wordpress] Found 34.68.4.41 - 2022-06-26 20:31:13
2022-06-26 20:31:13,451 fail2ban.actions        [503794]: NOTICE  [wordpress] Ban 34.68.4.41
2022-06-26 20:31:31,007 fail2ban.actions        [503794]: NOTICE  [wordpress] Unban 188.164.193.182
2022-06-26 20:31:33,333 fail2ban.filter         [503794]: INFO    [wordpress] Found 159.89.132.193 - 2022-06-26 20:31:32
2022-06-26 20:31:33,338 fail2ban.actions        [503794]: NOTICE  [wordpress] Unban 206.81.3.84
2022-06-26 20:31:34,138 fail2ban.filter         [503794]: INFO    [wordpress] Found 159.89.132.193 - 2022-06-26 20:31:33
2022-06-26 20:31:34,294 fail2ban.actions        [503794]: NOTICE  [wordpress] Ban 159.89.132.193

et cela se traduit par une regle correspondante dans le firewall 

[root@wmut2 fail2ban]# firewall-cmd --list-rich-rules
rule family="ipv4" source address="188.164.193.182" port port="https" protocol="tcp" reject type="icmp-port-unreachable"
rule family="ipv4" source address="174.138.27.203" port port="https" protocol="tcp" reject type="icmp-port-unreachable"
rule family="ipv4" source address="85.25.211.247" port port="https" protocol="tcp" reject type="icmp-port-unreachable"
rule family="ipv4" source address="157.159.0.0/17" service name="ssh" log prefix="ssh157/17" accept
rule family="ipv4" source address="139.59.109.241" port port="https" protocol="tcp" reject type="icmp-port-unreachable"
rule family="ipv4" source address="34.68.4.41" port port="https" protocol="tcp" reject type="icmp-port-unreachable"
rule family="ipv4" source address="206.81.3.84" port port="https" protocol="tcp" reject type="icmp-port-unreachable"
rule family="ipv4" source address="157.159.10.0/24" service name="snmp" log prefix="snmp10" accept

erreur , echecs

apres 2 premieres corrections sur le passage a une action de type firewallcmd-rich-rules et remplacement sur “:” par “-” pour le multiport

l'ajout de regle continue d'echouer 

[root@wmu ~]# fail2ban-client -d | grep 'wordpres'
['add', 'wordpress', 'auto']
['set', 'wordpress', 'usedns', 'warn']
['multi-set', 'wordpress', 'addfailregex', ['^<HOST> .* "POST .*wp-login.php', '^<HOST> .* "POST .*xmlrpc.php']]
['set', 'wordpress', 'maxretry', 12]
['set', 'wordpress', 'maxmatches', 12]
['set', 'wordpress', 'findtime', '120']
['set', 'wordpress', 'bantime', '120']
['set', 'wordpress', 'ignorecommand', '']
['set', 'wordpress', 'logencoding', 'auto']
['set', 'wordpress', 'addlogpath', '/var/log/httpd/ssl_access_log', 'head']
['set', 'wordpress', 'addaction', 'firewallcmd-rich-rules']
['multi-set', 'wordpress', 'action', 'firewallcmd-rich-rules', [['actionstart', ''], ['actionstop', ''], ['actioncheck', ''], ['actionban', 'ports="$(echo \'1-65535\' | sed s/:/-/g)"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family=\'<family>\' source address=\'<ip>\' port port=\'$p\' protocol=\'tcp\' reject type=\'<rejecttype>\'"; done'], ['actionunban', 'ports="$(echo \'1-65535\' | sed s/:/-/g)"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family=\'<family>\' source address=\'<ip>\' port port=\'$p\' protocol=\'tcp\' reject type=\'<rejecttype>\'"; done'], ['name', 'wordpress'], ['actname', 'firewallcmd-rich-rules'], ['port', '1-65535'], ['protocol', 'tcp'], ['family', 'ipv4'], ['chain', 'INPUT_direct'], ['zone', 'public'], ['service', 'ssh'], ['rejecttype', 'icmp-port-unreachable'], ['blocktype', 'REJECT --reject-with <rejecttype>'], ['rich-blocktype', "reject type='<rejecttype>'"], ['family?family=inet6', 'ipv6'], ['rejecttype?family=inet6', 'icmp6-port-unreachable']]]
['start', 'wordpress']
2022-06-26 19:44:24,776 fail2ban.actions        [501990]: NOTICE  [wordpress] Ban 165.232.177.194
2022-06-26 19:44:24,847 fail2ban.utils          [501990]: ERROR   7ff7ae172030 -- exec: nft add table inet f2b-table
nft -- add chain inet f2b-table f2b-chain \{ type filter hook input priority -1 \; \}
nft add set inet f2b-table addr-set-wordpress \{ type ipv4_addr\; \}

nft add rule inet f2b-table f2b-chain meta l4proto \{ tcp \} ip saddr @addr-set-wordpress reject

2022-06-26 19:44:24,848 fail2ban.utils          [501990]: ERROR   7ff7ae172030 -- stderr: 'Error: Could not process rule: Numerical result out of range'
2022-06-26 19:44:24,848 fail2ban.utils          [501990]: ERROR   7ff7ae172030 -- stderr: 'add set inet f2b-table addr-set-wordpress { type ipv4_addr; }'
2022-06-26 19:44:24,848 fail2ban.utils          [501990]: ERROR   7ff7ae172030 -- stderr: '^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^'
2022-06-26 19:44:24,848 fail2ban.utils          [501990]: ERROR   7ff7ae172030 -- stderr: 'Error: No such file or directory'
2022-06-26 19:44:24,848 fail2ban.utils          [501990]: ERROR   7ff7ae172030 -- stderr: 'add rule inet f2b-table f2b-chain meta l4proto { tcp } ip saddr @addr-set-wordpress reject'
2022-06-26 19:44:24,848 fail2ban.utils          [501990]: ERROR   7ff7ae172030 -- stderr: '                                                                ^^^^^^^^^^^^^^^^^^^'
2022-06-26 19:44:24,848 fail2ban.utils          [501990]: ERROR   7ff7ae172030 -- returned 1
2022-06-26 19:44:24,848 fail2ban.actions        [501990]: ERROR   Failed to execute ban jail 'wordpress' action 'nftables-allports' info 'ActionInfo({'ip': '165.232.177.194', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7ff7aca6fe18>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7ff7aca70510>})': Error starting action Jail('wordpress')/nftables-allports: 'Script error'
2022-06-26 19:44:33,372 fail2ban.filter         [501990]: WARNING [wordpress] Simulate NOW in operation since found time has too large deviation 1656265398 ~ 1656265473.3721204 +/- 60

references

  1. https://github.com/fail2ban/fail2ban/issues/3047
  2. https://serverfault.com/questions/1057765/is-fail2ban-working-without-firewalld
  3. https://www.redhat.com/en/blog/using-iptables-nft-hybrid-linux-firewall
docpublic/systemes/fail2ban_firewalld.1656268507.txt.gz · Last modified: 2022/06/26 18:35 by adminjp
Show pagesourceOld revisions
[unknown link type]Back to top
CC Attribution-Noncommercial-Share Alike 4.0 International
www.chimeric.de Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0