Fail2ban and Firewalld rules

| SYSTEM INFORMATION||

Operating system CentOS Linux 7.9.2009
Webmin version 1.994
Usermin version 1.840
Virtualmin version 7.1

Hi All,

I have been trying to harden the servers and have been working on the GPL one before copying the same actions to a PRO.

I have been working on Fail2ban editing the rules and have come across a question that seems to have various answers on the web so I think it would be a good idea to ask here for a definitive answer. Of course, if my understanding is wrong I would appreciate any “education” that you might feel worthy of your time.

My ideal would be for bad actors to be banned from ANY connection to this server no matter what their initial attempt was. So, if someone tries to login to, for example, FTP and gets banned by Fail2ban they are banned from ALL services.

If I go to firewalld and click “List FirewallD Rules” I get the expected list but I notice the following

Rich IPv4 163.177.9.151 Input Reject rule family="ipv4" source address="163.177.9.151" port port="ssh" protocol="tcp" reject type="icmp-port-unreachable"

That rule was added by Fail2ban as a result of attempted SSH login.

But I also notice this group

|Rich |IPv4 |141.98.10.203   |Input |Reject |rule family=ipv4 source address=141.98.10.203 port port=465 protocol=tcp reject type=icmp-port-unreachable|
|Rich |IPv4 |141.98.10.203   |Input |Reject |rule family=ipv4 source address=141.98.10.203 port port=imap protocol=tcp reject type=icmp-port-unreachable|
|Rich |IPv4 |141.98.10.203   |Input |Reject |rule family=ipv4 source address=141.98.10.203 port port=imaps protocol=tcp reject type=icmp-port-unreachable|
|Rich |IPv4 |141.98.10.203   |Input |Reject |rule family=ipv4 source address=141.98.10.203 port port=pop3 protocol=tcp reject type=icmp-port-unreachable|
|Rich |IPv4 |141.98.10.203   |Input |Reject |rule family=ipv4 source address=141.98.10.203 port port=pop3s protocol=tcp reject type=icmp-port-unreachable|
|Rich |IPv4 |141.98.10.203   |Input |Reject |rule family=ipv4 source address=141.98.10.203 port port=smtp protocol=tcp reject type=icmp-port-unreachable|
|Rich |IPv4 |141.98.10.203   |Input |Reject |rule family=ipv4 source address=141.98.10.203 port port=submission protocol=tcp reject type=icmp-port-unreachable |

That rule appears to be an attempt at postfix-sasl.

Here are the relevant sections from /etc/fail2ban/jail.conf

[sshd]
port    = ssh
logpath = /var/log/secure
backend = %(sshd_backend)s

and

[postfix-sasl]
filter   = postfix[mode=auth]
port     = smtp,465,submission,imap,imaps,pop3,pop3s
logpath = /var/log/maillog
backend  = %(postfix_backend)s

Here are the relevant sections from /etc/fail2ban/jail.local

 [sshd]
 enabled = true
 ignoreip = xxx.xxx.xxx.xxx 127.0.0.1
 maxretry = 2
 findtime = 300
 bantime = 1w

and

[postfix-sasl]
enabled = true
ignoreip = xxx.xxx.xxx.xxx
maxretry = 3
findtime = 86400
bantime = 1w

Since I would like to block ALL attempts from an IP number when failing is the above what I sould expect?

Should the ports mentioned in the rules be something like “port=all” or port=“0-65535” ?

Thanks for reading.

Tim

You should look into the [default] section of your jail.local file.

Given that you want to ban on ALL ports, not just the offended service, and apply this action to all offenders, you should not try changing this in the filter / jail you are trying to setup, though in the [default]
"banaction=… ".

The line below that is for the banaction_allports, simply copy that one to the banaction, and all jails will use the new banaction, regardless of ports configured in the service/jail.

Many thanks Steven. There is much seemingly conflicting information on the web and I was clearly looking in the wrong place.

Now I can dig a little deeper.