• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 875
  • Last Modified:

CentOS firewall - rule to deny access to ip and fail2ban

Say have fail2ban installed.
When restart firewall it forgets what its banned.
Any way to stop this?
Also what is rule to block an ip from access and in which table do I add it?
0
shaunwingin
Asked:
shaunwingin
  • 12
  • 6
  • 5
  • +3
4 Solutions
 
PapertripCommented:
I haven't used fail2ban, but I think I may know what is happening.  fail2ban is probably using /sbin/iptables to add rules, which are only in RAM until you run one of these commands:
iptables-save > /etc/sysconfig/iptables
service iptables save
/etc/init.d/iptables save

Open in new window


All of those commands will dump the contents of the tables in RAM to /etc/sysconfig/iptables so they are persistent across restarts/reboots.  I would imagine that fail2ban must commit those changes to disk at some point... possibly when you stop fail2ban service while iptables is still running.  Either way, if you are manually restarting iptables, dump the tables to disk first.
0
 
pritamduttCommented:
I am assuming you have iptables running in the background.

Test to see if
service iptables save

Open in new window

command saves your changes.

If yes you would be required to call this command during shutdown process.
0
 
shaunwinginAuthor Commented:
iptables is running...
How do I manually block an ip?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
shaunwinginAuthor Commented:
I need an example pls
0
 
PapertripCommented:
iptables -A INPUT -s 1.2.3.4 -j DROP

Open in new window

0
 
shaunwinginAuthor Commented:
tx
0
 
shaunwinginAuthor Commented:
Anyone know fail2ban
0
 
PapertripCommented:
Hi Shaun,

I have provided the correct answers to both of your original questions, mainly on how to save the fail2ban rules to disk before restart iptables.  If you have a new question, please open up a new question and close this one out.

Thanks!
0
 
shaunwinginAuthor Commented:
I need fail2ban to not drop its blocked ip's....

see my question pls:

CentOS firewall - rule to deny access to ip and fail2ban
Say have fail2ban installed.
When restart firewall it forgets what its banned.
Any way to stop this?
0
 
PapertripCommented:
I explained how to address that already in my first answer at http:#36922389
0
 
shaunwinginAuthor Commented:
While you do - its doesn't use fail2ban commands...
0
 
arnoldCommented:
I believe Papertrip, answered your question and should be awarded the points.
fail2ban adds entries to a firewall (iptables) it is not a firewall application in its own right. So the only way to commit the adjustments to firewall rules made by fail2ban is to actually use the firewall iptables and commit the current running firewall configuration
as was pointed out:
sudo /etc/init.d/iptables save
sudo service iptables save
sudo /sbin/iptables-save

Note that making such changes permanent may lead you to locking valid users who've made attempts using wrong credentials (caps locked, etc.).

I've not used fail2ban but based on the write up:
http://www.fail2ban.org/wiki/index.php/Features
It bans an IP that exceeded thresholds and then unbans it based on the configuration.
Making the changes permanent as previously mentioned, someone may be banned without fail2ban clearing that IP.
0
 
nociSoftware EngineerCommented:
Fail2ban only keeps track of additions to it's own table[s] one per jail.
 (The tables are added during startup).
It also removes from that table. When an address should be delisted.
But there are no provisions for saving the table.

Now saving/restoring makes no real sense to do.
one of the initialisations is getting rid of debris (old chains, & rules) and create a new one.
==> saving doesn't help.

The only thing that can be done is something like:
save during shutdown of fail2ban (before fail2ban stops), and the start of fail2ban reinstate the table for the right filter.
iptables-save is not the right method, as it saves ALL tables.

The rationale for this is the notion that a ban is temporary anyway.,
0
 
nociSoftware EngineerCommented:
Strictly speaking you could create some actions that don't erase the iptables but save & restore.
(NOT using iptables-save, but using your own script)

see: /etc/fail2ban/action.d/iptables*.conf
actionstop & actionstart
0
 
Daniel McAllisterPresident, IT4SOHO, LLCCommented:
OK, not to put too fine a point on this, but the whole POINT of fail2ban is to TEMPORARILY block IPs that meet certain criteria. If you "save" the iptables rules that fail2ban institutes as part of your shutdown, you're removing the fail2ban REMOVAL process.

The whole purpose of the TEMPORARY ban is because so much traffic comes from DYNAMIC address space -- and you never know who the NEXT user of that IP address will turn out to be!
So I think I agree with an earlier posting that Papertrip should be awarded the points for this question -- with the caveat that it wasn't the right question! If you determine that there are static IPs that you believe to be undesirable, then add them (manually) to your iptables (in /etc/sysconfig/iptables for CentOS). Otherwise, upon reboot fail2ban will just have to DETECT the bad-boy behavior again to re-institute the ban.

BTW: It sounds like you've got an IP or two you really want to make sure are blocked... I suggest you look into the TARPIT extension to iptables... it can be a nasty bugger to bad guys who attack your system -- and it can be integrated with fail2ban as well!

Just my thoughts -- worth only what you paid me for them!

Dan
IT4SOHO
0
 
shaunwinginAuthor Commented:
Tx.
Yes there are some offending ip's I want to permanently block!

What about bfd referred to in this article as an alternative to fail2ban?

http://www.packtpub.com/article/securing-your-trixbox-server
0
 
arnoldCommented:
There are different options and all depends on what you want.
You can use snort/iptables or setup a separate system as is referenced in the link that will function as an active firewall determining what should not be allowed through and remove the impact on your server.

Papertrip answered your question.  If you wish to open a new discussion on an alternative to the existing setup that will manage/offload the impact of the iptables/fail2ban on the performance of your system.  Ask a related question to this one, and those who participated will be notified of the new question.
0
 
shaunwinginAuthor Commented:
Papertrip gave me a manual method...
Youve explained it more.
Would still like it as an option as once blocked it must remain blocked.
Tx 4 the tarpit idea...pls can you send me a link
0
 
nociSoftware EngineerCommented:
Tarpit is on this page.

http://www.netfilter.org/projects/patch-o-matic/pom-external.html

to block sites add rules like
iptables -i INPUT -i 'internet facing interface' -s of.fen.ding.IP -j DROP  
iptables -i FORWARD -i 'internet facing interface' -s of.fen.ding.IP -j DROP  

  # or -j TARPIT if you like, tarpit only works for tcp, so the above needs more work, you also need to install TARPIT see link.

iptables -N SLOWBLOCK
iptables -i SLOWBLOCK -j LOG  --log-prefix "SLOWBLOCKED" # mention it in a log, can be left out
iptables -i SLOWBOLCK -p tcp -j TARPIT        # tarpit TCP
iptables -i SLOWBLOCK -j DROP                    # drop the others

iptables  -I INPUT -i 'internet facing interface' -s of.fen.ding.IP -j SLOWBLOCK
iptables  -I FORWARD -i 'internet facing interface' -s of.fen.ding.IP -j SLOWBLOCK

(The forward rule is for a routing device, the input for a regular host.)
0
 
arnoldCommented:
If you have an option to setup/dedicate an older system to function as a firewall/router
https://forums.snort.org/forums/snort-newbies/topics/snort-and-iptables
http://cipherdyne.org/fwsnort/

You could offload the load from firewall/iptables and have your primary server's load reflect the work done.
0
 
shaunwinginAuthor Commented:
tx. Pls can you explain why ?I would use snortfw?
0
 
arnoldCommented:
It is a Intrusion Detection System where it will limit known types of attacks against the resources behind it.
i.e. malform tcp headers, malformed URL requests a signature of an attack type.

Your current fail2ban is configured based on failed login attempts.

When possible separating the server that performs the tasks and a system that protects it, improves performance.

There are different mechanisms it all depends on what it is you want to achieve.

What are you protecting a web based application or ssh sessions?
0
 
shaunwinginAuthor Commented:
Hi Arnold. Its ssh sessions and sip login attempts. Its an Asterisk server.
0
 
arnoldCommented:
Failed logins are not the only attack vector being attempted on the ssh server.
You can configure your end server to forward events via syslog/rsyslog to the middle server for analysis/adjustment by faill2ban.

syslog/rsyslog
authpriv.* @middle_server_ip

Make sure the middle server is configured with the -r 514 to listen on UDP port 514 for the events.

Not sure what SIP events you are seeing, but if they are syslog based, you can forward them as well.
0
 
nociSoftware EngineerCommented:
fail2ban does scan logfiles (not just the failed log attempts) and triggers on matches.

snort does scan actual traffic patterns and reacts on those.

I don't know if snort has enough knowlegde to halt a sipvicious attack, but parsing failed sip login attempts are relatively easy.
0
 
shaunwinginAuthor Commented:
Thankyou Guys.I'm trying to asses when to use a middle server. How much resources does fail2ban & snort tend to use up?
0
 
arnoldCommented:
Not sure what you are asking.  You either setup the middle server or you do not.  Are you considering intermittently "dropping" it in place and then removing it?
0
 
nociSoftware EngineerCommented:
Fail2ban uses gamin filechange monitor to only work on a file that has changed, so the number of monitored logfiles does matter & the number of active rules of course as wel as the amount of changes on those files. A lot can be done if f.e. only authentication failures get logged to a certain file. as opposed to a DEBUG dump to the same file.

For snort it depends on network traffic,  most data needs to be tracked and matched against various rules, a lot harder to predict the impact.
Also how many analysis has to be done, only the SYN packet of a TCP session or all UDP name queries on a heavily used DNS server, for the existence of some specific query.
0
 
shaunwinginAuthor Commented:
Tx noci.
0

Featured Post

Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

  • 12
  • 6
  • 5
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now