Debian 11 - FirewallD - Fail2Ban

Virtuello · October 19, 2022, 11:34am

SYSTEM INFORMATION
OS type and version	Debian 11
Webmin version	2.001

A newly installed Debian 11 - Virtualmin - Webmin installation doesn’t work with Fail2Ban out of the box as promissed by the installer.

Has anybody succeeded to get Fail2Ban working?

As mentioned in the forum, there is an issue with firewallD on Debian since 2019 …

Thanks for any help …

Ilia · October 19, 2022, 1:18pm

What exactly doesn’t work? Are there services that expected to be blocked for attacking IPs and not blocked?

Where exactly on the installer is this promised? Can I see the link or a screenshot to make sure that we are talking about the right installer?

Virtuello · October 19, 2022, 1:45pm

Thanks Ilia for your concern …

FirewallD is not creating the banned IP list. Fail2Ban detects the attackers, but they are not blocked.

Status

|- Number of jail:	6

`- Jail list:	dovecot, postfix, postfix-sasl, proftpd, sshd, webmin-auth

fail2ban-client status postfix-sasl

Status for the jail: postfix-sasl

|- Filter

| |- Currently failed: 0

| |- Total failed: 0

| `- Journal matches: _SYSTEMD_UNIT=postfix.service

`- Actions

|- Currently banned: 0

|- Total banned: 0

`- Banned IP list:

Running tests

=============

Use failregex filter file : postfix, basedir: /etc/fail2ban

Use datepattern : {^LN-BEG} : Default Detectors

Use log file : /var/log/mail.log

Use encoding : UTF-8

Results

=======

Prefregex: 59 total

| ^(?:[])?\s*(?:<[^.]+.[^.]+>\s+)?(?:\S+\s+)?(?:kernel:\s?[ *\d+.\d+]:?\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:[\d+])?:\s+[[(]?postfix(-\w+)?/\w+(?:/smtp[ds])?(?:(\S+))?[])]?:?|[[(]?postfix(-\w+)?/\w+(?:/smtp[ds])?(?:(\S+))?[])]?:?(?:[\d+])?:?)\s+)?(?:[ID \d+ \S+]\s+)?(?:\w+: reject:|(?:improper command pipelining|too many errors) after \S+) (?P.+)$

`-

Failregex: 59 total

|- #) [# of hits] regular expression

| 1) [26] ^RCPT from [^[]*[](?::\d+)?: 55[04] 5.7.1\s

| 5) [24] ^(RCPT|VRFY) from [^[]*[](?::\d+)?: 550 5.1.1\s

| 7) [9] ^from [^[]*[](?::\d+)?:?

`-

Ignoreregex: 0 total

Date template hits:

|- [# of hits] date format

| [187723] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:.Microseconds)?(?: ExYear)?

`-

Lines: 187723 lines, 0 ignored, 59 matched, 187664 missed

[processed in 8.45 sec]

In my opinion I have 59 attackers matching the jail. But I can see in the mail.log that the attack continues and that the firewallD rules list remains empty.

The mail.log is like this:

Oct 19 15:32:55 host03 postfix/smtpd[124656]: warning: unknown[5.34.207.68]: SASL LOGIN authentication failed: authentication failure

the jail definition is out of the box like this:
[postfix-sasl]

enabled = true
port = smtp,465,submission,imap,imaps,pop3,pop3s

strangely there is no action line predefined.

the filter action jail is:

postfix[mode=auth] on log %(postfix_log)s

Log might be wrong an should point to mail.log instead.

I have a VPS ready we can play around, if you like to.

Virtuello · October 19, 2022, 1:48pm

sorry, forgot to mention:

I installed virtualmin with this command line:

wget http://software.virtualmin.com/gpl/scripts/install.sh
sudo /bin/sh install.sh

Ilia · October 19, 2022, 6:22pm

Fail2Ban installed with Virtualmin install script and minimal (clean and not pre-configured) Debian 11 works out of the box.

If that doesn’t work for you, you need to find the reason why. Perhaps, there is another firewall is installed and running, maybe something else is wrong or Virtualmin wasn’t installed on a clean system, but I am absolutely sure that Fail2Ban with FirewallD works flawlessly out of the box with a Virtualmin clean install.

janderk · October 19, 2022, 7:31pm

I have reported this here some time ago. Probably in the wrong place as it is an installer issue.

The problem is in the /etc/fail2ban/jail.d/00-firewalld.conf file. Just edit it to:

banaction = firewallcmd-ipset
banaction_allports = firewallcmd-allports

The second line is missing in the installed version.

Explanation in the bug report, but the problem is caused by the fact that in the clean install fail2ban uses iptables on some actions and firewalld for others.

Virtuello · October 20, 2022, 5:01am

Hello my friends

this line is actually missing. So I added it and restarted the service. Now, after 9h still all jails are empty.

So I set up a totally fresh Ubuntu 22.04 server and moved my VS’s to this one and set it into production. Also on Ubuntu is the allports line missing and also there, after 7h there are no jail entries even though the attackers are hammering on my ports.

At the moment we can exclude the allports line and the linux derivates as the source of my problem, in my opinion.

Do we have a major problem? I have seen that on Ubuntu virgin installation we have now PHP 8.1., on Debian it is still 7.4. Could that be a hint?

Any help will be greatly appreciated.

janderk · October 20, 2022, 9:12am

All I can say: Without that line fail2ban does not work on Debian 10 and 11, but only with the recidive jail enabled as that one uses banaction_allports.

If I set that banaction_allports to use firewalld instead of iptables, it works fine. Make sure you restart both firewalld and fail2ban.

Virtuello · October 20, 2022, 8:25pm

Still no improvement. All Jails are empty.

What is a recidive jail?

My jail definition looks rather simple:

[sshd]

enabled = true
port = ssh

[webmin-auth]

enabled = true
port = 10000

[proftpd]

enabled = true
port = ftp,ftp-data,ftps,ftps-data

[postfix]

enabled = true
port = smtp,465,submission

[dovecot]

enabled = true
port = pop3,pop3s,imap,imaps,submission,465,sieve

[postfix-sasl]

enabled = true
port = smtp,465,submission,imap,imaps,pop3,pop3s

Does this makes any sense to you?

I wonder if /etc/fail2ban/jail.d/00-firewalld.conf is even looked at by webmin.

paulM · October 20, 2022, 9:59pm

The best way to track the issue is to look at the fail2ban log and firewalld log. The fail2ban log will show the ban action taken and firewalld log will show the ban being implemented and on which ports.

paulM · October 21, 2022, 12:52am

That is not actually what happens. The regex checks to see if you are matching records that will be caught by fail2ban. However, each jail can be set differently and you might need 5 failures in 10 minutes to trigger that IP being banned. Or, one per day. My settings are in the jail.local file which is where you would make changes for your system so that they don’t get wiped when fail2ban is updated. See what your file contains because you might not be getting enough failures to ban that IP. If you have not made jail.local then your defaults will be in jail.conf and mine is:

# "bantime" is the number of seconds that a host is banned.
bantime  = 10m

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 10m

# "maxretry" is the number of failures before a host get banned.
maxretry = 5

which means the offender has to strike 5 times within 10 minutes. If the offender strikes twice per hour you will never ban the IP with that default

I use firewalld, not ipset. My /etc/fail2ban/jail.d/00-firewalld.conf file:

# This file is part of the fail2ban-firewalld package to configure the use of
# the firewalld actions as the default actions.  You can remove this package
# (along with the empty fail2ban meta-package) if you do not use firewalld
[DEFAULT]
banaction = firewallcmd-rich-rules[actiontype=<multiport>]
banaction_allports = firewallcmd-rich-rules[actiontype=<allports>]

Here is my postfix-sasl jail in /etc/fail2ban/jail.local

[postfix-sasl]
enabled  = true
bantime = 17m
bantime.increment = true
bantime.factor = 1
bantime.multipliers = 1 24 84 720 1000
findtime = 1d
bantime.maxtime = 6w
port = 0-65535
maxretry = 5

With the more recent versions of fail2ban you no longer need the recidive jail. Fail2ban can now automatically track and increase the time for repeat offenders and can multiply subsequent bans by factors to ramp up the time. Above, this jail requires an IP to fail 5 times within a day. The first offense is a ban on all ports for 17 minutes. The second offense multiplies that by 24 for a ban time of 408 minutes. It increases quickly to a maximum of 6 weeks. the 17 minutes is because I report offenders to abuseipdb.com and reports must be at least 15 minutes apart. 6 weeks maximum is because the database gets purged and the developers caution against permanent bans. They aren’t needed and once your jails are working your offenders will drop to a very small number daily. Good luck.

Virtuello · October 21, 2022, 7:56am

Thank you very much for your comprehensive and precious help.

I think we can stop the troubleshooting now. I set up a new Debian 11 server and with your lines in the 00-firewalld.conf file it started banning right away. But not with the single line which comes out of the box. I have to guess, that something happened also in the installation process we do not know.

My Ubuntu 22.04 server has never banned, no matter what I set in place of your suggestions. His fail2band log goes bezerk. It generated sometimes more than 100 lines per second, it contains after 5 days in production 500MB. The firewalld log is almost empty.

So my final solution is for now: Setup a new server, never mind the derivative, and add the lines

[DEFAULT]
banaction = firewallcmd-rich-rules[actiontype=<multiport>]
banaction_allports = firewallcmd-rich-rules[actiontype=<allports>]

in your /etc/fail2ban/jail.d/00-firewalld.conf

and everything is fine. And then open a fine bottle of whisky and enjoy life again.

Thank you guys!

system · October 29, 2022, 7:56am

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.