[SOLVED] Fail2ban not adding rules to Webmin

Hi,

this may or may not be related to this (https://www.virtualmin.com/node/35443) similar thread, but as it’s a bit old I’m starting a new one.

I have the following fail2ban jails activated:

  • ssh-iptables (sshd)
  • sasl-iptables (postfix-sasl)
  • postfix-tcpwrapper (postfix)
  • webmin-auth (webmin-auth)
  • dovecot (dovecot)
  • dovecot-auth (dovecot)

When I look at Webmin’s iptables page, I can only see these (see attached):

  • Jump to chain fail2ban-dovecot
  • Jump to chain fail2ban-SSH
  • Jump to chain fail2ban-dovecot-auth

However, when I check iptables -L -n I can see:

Chain f2b-webmin (0 references)
target prot opt source destination
RETURN all – 0.0.0.0/0 0.0.0.0/0

which does not appear in Webmin.

I’m a bit unclear about the comment here (https://www.virtualmin.com/node/35443#comment-140998) that “Fail2ban dynamically adds/updates rules, whereas, by default, Webmin operates on the iptables save file.”
Are we saying that the chains that appear in Webmin’s iptables have been saved to file, but the others have not?

Another, possibly related issue, is that I see two entries for SSH and I’m unsure why:

Chain f2b-SSH (1 references)
target prot opt source destination
RETURN all – 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN all – 0.0.0.0/0 0.0.0.0/0

I’m probably missing something basic.
Could someone please help?

Thanks

Post the result of “iptables -L”.

Hi,

here’s the output.

I’ve condensed chain “badasses”; it’s basically a bunch of annoying ip addresses that I permanently block.
tcp dpts is the webmin port.

Chain INPUT (policy ACCEPT) target prot opt source destination badasses all -- anywhere anywhere fail2ban-dovecot tcp -- anywhere anywhere multiport dports pop3,pop3s,imap,imaps,submission,urd,sieve fail2ban-SSH tcp -- anywhere anywhere tcp dpt:xxxx fail2ban-dovecot-auth tcp -- anywhere anywhere multiport dports pop3,pop3s,imap,imaps,submission,urd,sieve ACCEPT tcp -- anywhere anywhere tcp dpts:xxxx:xxxx DROP udp -- anywhere anywhere udp dpt:ftp-data DROP udp -- anywhere anywhere udp dpt:ftp ACCEPT udp -- anywhere anywhere udp dpt:domain DROP tcp -- anywhere anywhere tcp dpt:dnp DROP tcp -- anywhere anywhere tcp dpt:ndmp ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere tcp dpt:http DROP tcp -- anywhere anywhere tcp dpt:imaps DROP tcp -- anywhere anywhere tcp dpt:imap DROP tcp -- anywhere anywhere tcp dpt:pop3s ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 DROP tcp -- anywhere anywhere tcp dpt:ftp-data DROP tcp -- anywhere anywhere tcp dpt:ftp ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:submission DROP tcp -- anywhere anywhere tcp dpt:smtp DROP tcp -- anywhere anywhere tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain badasses (1 references)
target prot opt source destination
DROP all – x.x.x.x anywhere
RETURN all – anywhere anywhere

Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN all – anywhere anywhere

Chain fail2ban-dovecot (1 references)
target prot opt source destination
RETURN all – anywhere anywhere

Chain fail2ban-dovecot-auth (1 references)
target prot opt source destination
RETURN all – anywhere anywhere

  1. ssh to your server and stop fail2ban

  2. go to Webmin - Network - iptables - delete all records related to fail2ban - save - restart iptables (or do this over ssh, no difference)

  3. ssh back to your server and check jail.local if you set everything correctly

  4. start fail2ban

  5. now use “ipatbles -L -n” and see if everything is ok

Dont save fail2ban rules in iptables because this is not how is supposed to work. Fail2ban have his own settings and after each server restart it will put back all the rules previously set including already banned IP’s.

I’ve condensed chain “badasses”; it’s basically a bunch of annoying ip addresses that I permanently block. tcp dpts is the webmin port.
Another thing, watch out how many IP are saved with iptables (doesnt apply for fail2ban banned IP’s) because it will slow down your websites especially TTFB values. If you really need to permanently ban a lot of IP’s, like whole country blocks, then you should use ipset (ipset.netfilter.org) but you can install only on full virtualization like KVM or Xen HVM, so no OpenVZ or Xen PV.

Thanks for your help.
Someone else had set this up for me, but at least I now know how to do it in the future.

So here’s the output of iptables -L -n

Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-dovecot-auth tcp – 0.0.0.0/0 0.0.0.0/0 multiport dports 110,995,143,993,587,465,4190
f2b-dovecot tcp – 0.0.0.0/0 0.0.0.0/0 multiport dports 110,995,143,993,587,465,4190
f2b-sasl tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
f2b-SSH tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:xxxx
badasses all – 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpts:xxxx:xxxx
DROP udp – 0.0.0.0/0 0.0.0.0/0 udp dpt:20
DROP udp – 0.0.0.0/0 0.0.0.0/0 udp dpt:21
ACCEPT udp – 0.0.0.0/0 0.0.0.0/0 udp dpt:53
DROP tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:20000
DROP tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000
ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
DROP tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:993
DROP tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:143
DROP tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:995
ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
DROP tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:20
DROP tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:587
DROP tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
DROP tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:22

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain badasses (1 references)
target prot opt source destination
DROP all – x.x.x.x 0.0.0.0/0
RETURN all – 0.0.0.0/0 0.0.0.0/0

Chain f2b-SSH (1 references)
target prot opt source destination
RETURN all – 0.0.0.0/0 0.0.0.0/0

Chain f2b-dovecot (1 references)
target prot opt source destination
RETURN all – 0.0.0.0/0 0.0.0.0/0

Chain f2b-dovecot-auth (1 references)
target prot opt source destination
RETURN all – 0.0.0.0/0 0.0.0.0/0

Chain f2b-sasl (1 references)
target prot opt source destination
RETURN all – 0.0.0.0/0 0.0.0.0/0

Chain f2b-webmin (0 references)
target prot opt source destination
RETURN all – 0.0.0.0/0 0.0.0.0/0

I had a couple of follow up questions:

(1) I’ve activated postfix-tcpwrapper but I can’t seem to see it in the output. Should it be there?

(2) I can see f2b-webmin at the bottom, but I can’t see it at the top of the output. Should it be there?

(3) Within /etc/fail2ban I can also see a file called jail.conf.rpmnew.
I think this relates to version 9 of fail2ban. Do I need to do anything? Does it overwrite jail.conf?

Thanks again

  1. Yes but i think new version doesnt come with postfix-tcpwrapper and i think everything is handled with postfix

  2. Yes but in new version is named “f2b-webmin-auth”.

  3. The file ****.rpmnew means you updated some software but you had changed old files so to no break everything the update will mark all those (new) files as ****.rpmnew. First you should never use jail.conf but rather jail.local. There is a lot of information on google just look around. For fail2ban you need to use new file versions and not doing this it could relate to your problems. Check inside other folders in fail2ban and if there is more ****.rpmnew files and you should use that one.

Answers in 1 and 2 are based on Centos 7 e.g. OS i’m using so i’m not sure if others have this different but i think it should be the same.

Thanks again.

Amazingly I paid someone to help me set up fail2ban but of course you are right, all modifications should go into jail.local. I can now see why the file jail.conf.rpmnew was created.

Should I therefore delete / rename the existing jail.conf file and rename jail.conf.rpmnew into jail.conf so that fail2ban correctly picks it up?

Thanks

Dont delete any old file for now just rename *.old or make a local copy and then delete. Once you check everything then you can delete old files.

Hi,

I renamed the jail.conf file to jail.conf.old and jail.conf.rpmnew to jail.conf.
I had to rename some of the active jails to take account of version 0.9 naming but I restarted fail2ban and I did not see any error messages so I presume it works.

Just to make 100% sure that I’ve set it up correctly:

In my jail.local, I did not define the port and logpath.
So for instance, the default options for sshd are:

port = ssh
logpath = %(sshd_log)s

If I moved the ssh port to another non-standard port, do I need to set it manually or will it pick it up automatically from sshd_config?

Similarly, do I need to tell it that my /var/log/postfix.log is actually located in /var/log/maillog?
Backend is set to “auto” and I have not changed that in my .local file.

Thanks

Fail2ban after version 0.9 comes with all jails deactivated by default so in jail.local just activate ones what you want/need. I would suggest to copy everything from jail.conf up to first jail rule into jail.local, made changes based on what you need and then proceed with activating the wanted jails (in jail.local).

I would suggest to change “%(sshd_log)s” to standard path as i notice some jails have a little problem to check the log files. In theory it should work but there is nothing wrong in using full path to log files for example:
[sshd]
enabled = true
port = ssh
logpath = /var/log/secure

Fail2ban will read the log files so for example whatever port you are using for SSH doesnt matter if the log file is working.

Check this topic http://www.virtualmin.com/node/38305.

Thanks, all good.

Having checked, it adds the logs correctly (e.g.

Added logfile = /var/log/secure
Added logfile = /var/log/maillog
Added logfile = /var/log/httpd/error_log
Added logfile = /var/log/httpd/ssl_error_log

The only one it complained about was [mysqld-auth] but after changing logpath = %(mysql_log)s to logpath = /var/log/mysqld.log it worked.

Thanks for all your help - appreciated.