Fail2Ban all filters are 3proxy

Walter81 · July 19, 2016, 6:37am

Hi,

I’m enabling my Fail2Ban filters. They’re all preconfigured (nice!) but most of them have as filter ‘3proxy’ selected. Is this supposed to be? (I’d guess I have to select the matching filters but it could be that Webmin routes all traffic via 3proxy?)

thanks for the advice!

Diabolico · July 19, 2016, 1:36pm

On Centos 7 f2b have only two entries with “proxy” so not sure what you mean by “most of them”, but here is the link for default f2b conf file: http://pastebin.com/BKc8PFtC.

For editing and enabling jails you should use “jail.local” instead of “jail.conf”.

Walter81 · July 20, 2016, 8:00am

Thanks for the feedback. i’ve uploaded 2 screenshots:
https://ibin.co/2ogbXX9aQiQX.png
https://ibin.co/2ogbeiNPNotR.png

In Webmin > Fail2Ban > Filter Action Jails almost every filter action has by default the 3proxy log selected. It seems to me I must match these with the corresponding filter actions (sshd log for sshd filter action and so on) but if Webmin provices all these filter actions by default… then it seems logical to me those filter logs are filled in correct as well. Or am I wrong on that?

Diabolico · July 20, 2016, 7:49pm

Oh i see now. Well i’m not sure how fail2ban settings works over Virtualmin because i never used. To be honest i would not dare to click save in Virtualmin when it come to some specific things like settings of f2b, postfix and so on as i’m more comfortable to manually edit the files and have all changes under control. I learn last year that sometimes easy way is not always the best when after saving postfix settings in Virtualmin everything went apes**t and mail become unusable. I would suggest to do the same or wait for someone who tested f2b module in Virtualmin and see what he/she have to say.

Diabolico · July 20, 2016, 8:04pm

Almost forgot, change default “Max delay between matches” and “Time to ban IP” to 86400 (24 hours). That means f2b will check the time between each attempt and if this time is less than 24 hours it will ban for 24 hours. In your case with “Matches before applying action” set to 5 f2b will keep track between first and fifth attempt from same IP, if this time is x<24 hours it will ban that IP for 24 hours.

On my servers i found 24 hours to be the best option, not too long to fill up my iptables with tons of IPs and not too short for banned IPs to make quick comeback. In the past i notice that with shorter time (few hours) banned IP have tendency to come back same day while with 24 hours ban i rarely see any IP to come back even after few days. Of course your experience could be different but 600s (10 min) is really too short and you should increase both timers.

unborn · July 21, 2016, 10:57am

hi Walter81… what disrto you are on?

Walter81 · July 22, 2016, 7:13am

@Unborn: virtualmin 5.03
@Diabolico: thanks for your help. From the screenshot in your first post I figured out I had to set the correct logfilters (that made the most sense to me too) & thanks for the defaults-tip. Seems like a good idea.

Diabolico · July 22, 2016, 9:55am

I’m not sure if this is still a problem but in the past fail2ban had problems on Centos using default logpath, e.g. “logpath = %(syslog_mail)s”, “logpath = %(postfix_log)s”… should be changed to “logpath = /var/log/maillog” or to say full path to the log files. This problem was common in the past on Centos 6 and 7 so if you see that f2b have problem to read from log files you know what could be the problem.

You should really use SSH or SFTP and manually edit fail2ban and to make it easier to understand here is one example:

+++ Create jail.local in the same directory where is located jail.conf

+++ Copy from jail.conf from beginning up to first jail and change settings as you want (important one i will mark with *** X ***):

[INCLUDES]

#before = paths-distro.conf
before = paths-fedora.conf <--------- this will change based on your OS so do not copy from me!!!

The DEFAULT allows a global definition of the options. They can be overridden

in each jail afterwards.

[DEFAULT]

MISCELLANEOUS OPTIONS

“ignoreip” can be an IP address, a CIDR mask or a DNS host. Fail2ban will not

ban a host which matches an address in this list. Several addresses can be

defined using space separator.

ignoreip = 127.0.0.1/8 1

External command that will take an tagged arguments to ignore, e.g. ,

and return true if the IP is to be ignored. False otherwise.

ignorecommand = /path/to/command

ignorecommand =

“bantime” is the number of seconds that a host is banned.

bantime = 86400 2

A host is banned if it has generated “maxretry” during the last “findtime”

seconds.

findtime = 86400 3

“maxretry” is the number of failures before a host get banned.

maxretry = 2 4

“backend” specifies the backend used to get files modification.

Available options are “pyinotify”, “gamin”, “polling”, “systemd” and “auto”.

This option can be overridden in each jail as well.

pyinotify: requires pyinotify (a file alteration monitor) to be installed.

If pyinotify is not installed, Fail2ban will use auto.

gamin: requires Gamin (a file alteration monitor) to be installed.

If Gamin is not installed, Fail2ban will use auto.

polling: uses a polling algorithm which does not require external libraries.

systemd: uses systemd python library to access the systemd journal.

Specifying “logpath” is not valid for this backend.

See “journalmatch” in the jails associated filter config

auto: will try to use the following backends, in order:

pyinotify, gamin, polling.

backend = auto

“usedns” specifies if jails should trust hostnames in logs,

warn when DNS lookups are performed, or ignore all hostnames in logs

yes: if a hostname is encountered, a DNS lookup will be performed.

warn: if a hostname is encountered, a DNS lookup will be performed,

but it will be logged as a warning.

no: if a hostname is encountered, will not be used for banning,

but it will be logged as info.

usedns = no

“logencoding” specifies the encoding of the log files handled by the jail

This is used to decode the lines from the log file.

Typical examples: “ascii”, “utf-8”

auto: will use the system locale setting

logencoding = utf-8

“enabled” enables the jails.

By default all jails are disabled, and it should stay this way.

Enable only relevant to your setup jails in your .local or jail.d/*.conf

true: jail will be enabled and log files will get monitored for changes

false: jail is not enabled

enabled = false 5

“filter” defines the filter to use by the jail.

By default jails have names matching their filter name

filter = %(name)s

ACTIONS

Some options used for actions

Destination email address used solely for the interpolations in

jail.{conf,local,d/*} configuration files.

destemail =

Sender email address used solely for some actions

sender =

E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the

mailing. Change mta configuration parameter to mail if you want to

revert to conventional ‘mail’.

mta = sendmail

Default protocol

protocol = all

Specify chain where jumps would need to be added in iptables-* actions

chain = INPUT

Ports to be banned

Usually should be overridden in a particular jail

port = 0:65535

Action shortcuts. To be used to define action parameter

Default banning action (e.g. iptables, iptables-new,

iptables-multiport, shorewall, etc) It is used to define

action_* variables. Can be overridden globally or per

section within jail.local file

banaction = iptables-allports 6

The simplest action to take: ban only

action_ = %(banaction)s[name=%(name)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

ban & send an e-mail with whois report to the destemail.

action_mw = %(banaction)s[name=%(name)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(name)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]

Choose default action. To change, just override value of ‘action’ with the

interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local

globally (section [DEFAULT]) or per specific section

action = %(action_)s

1 - You can add your IP or IP of some other server/service to prevent f2b to ban that IP. Between each IP leave one empty space, e.g. 111.111.111.111 222.222.222.222 333.333.333.333 …

2 / 3 - My suggestion for bantime and findtime to set to 24 hours (86400). If you go for more your iptables could fill up with many banned IPs, slow down your website and honestly there is no need to ban for more than 24 hours.

4 - Maxretry is usually set to 3-5 but if the server is only for you or just one client i would suggest to go for 2 or 3. You can change this for specific jail by adding “maxretry = XX”

5 - I would leave this on “disabled” and then use “enabled = true” for each jail. Because you will copy only jails what you want to use this option could be set to “enabled” but i’m used doing in this way so its up to you. If you go with “enabled” then you dont need “enabled = true” for each jail.

6 - Just use “iptables-allports”. This means if one IP was banned because of brute-force on mail server it will be banned on all ports.

+++ For jails just check which one you want to use and then copy one by one from jail.conf and paste to the bottom in jail.local:

[postfix] enabled = true port = smtp,465,submission logpath = /var/log/maillog

[postfix-rbl]
enabled = true
port = smtp,465,submission
logpath = /var/log/maillog
maxretry = 1

[apache-badbots]
enabled = true

Ban hosts which agent identifies spammer robots crawling the web

for email addresses. The mail outputs are buffered.

port = http,https
logpath = /var/log/virtualmin/yourdomain.com_error_log
/var/log/virtualmin/yourdomain.com_access_log
bantime = 172800
maxretry = 1

[apache-noscript]
enabled = true
port = http,https
logpath = /var/log/virtualmin/yourdomain.com_error_log
/var/log/virtualmin/yourdomain.com_access_log
maxretry = 6

This are few jail examples so you can see how it looks. For each jail you can change default settings like maxretry from 2-3 lower to 1 or you could increase to 5, same for bantime, etc.

You should be safe to copy all settings i posted here aside of jails, this one its entirely up to you and depends what you have active on the server, what you want to protect, and so on…

You can see in my example i used full path to the log files to be sure f2b will be able to read from them.

Walter81 · July 25, 2016, 6:31am

Thanks for the -extensive!- feedback. I followed your advice I’ve been learning stuff the last few weeks with this