| View previous topic :: View next topic |
| Author |
Message |
pgu
l33t
Joined: 30 Jul 2009
Posts: 721
Location: Oslo, Norway
|
 Posted: Sun Jan 07, 2024 6:30 pm Post subject: Is there a paths-gentoo.conf for fail2ban? |
 |
|
There should probably be two: paths-gentoo-systemd.conf paths-gentoo-openrc.conf.
Or is it better to toss the provided template structure and follow https://wiki.gentoo.org/wiki/Fail2ban? |
|
| Back to top |
|
 |
figueroa
Advocate
Joined: 14 Aug 2005
Posts: 2963
Location: Edge of marsh USA
|
| Posted: Mon Jan 08, 2024 5:01 am Post subject: |
|
|
I've been using fail2ban on both gentoo and debian systems for several years. I've never needed to bother with paths files. I've only created and made adjustments to jail.local. Why do you ask? Are you having problems or seeing path related errors?
_________________
Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/23.0/split-usr/desktop (stable), OpenRC, -systemd -pulseaudio -uefi |
|
| Back to top |
|
|
sam_
Developer
Joined: 14 Aug 2020
Posts: 1678
|
| Posted: Mon Jan 08, 2024 8:50 am Post subject: |
|
|
Yeah, I've been considering adding this as it annoys me too. But it doesn't bother me enough to remember to work on it..
Patches very welcome to add it. |
|
| Back to top |
|
|
pgu
l33t
Joined: 30 Jul 2009
Posts: 721
Location: Oslo, Norway
|
| Posted: Mon Jan 08, 2024 5:52 pm Post subject: |
|
|
| figueroa wrote: | | Why do you ask? Are you having problems or seeing path related errors? |
I just noticed that the structure in the emerged fail2ban.conf was depending upon a distro specific file which defined paths to the various log files and other distro specific items.
It appears that the general idea is that once the distro specific parts have been defined the program specific parts like sshd, postfix, etc are kept as generic as possible.
However, in the wiki there are no such structure, I was just wondering if I'm missing a gentoo specific file, or if the wiki is simply out of date. |
|
| Back to top |
|
|
figueroa
Advocate
Joined: 14 Aug 2005
Posts: 2963
Location: Edge of marsh USA
|
| Posted: Mon Jan 08, 2024 9:02 pm Post subject: |
|
|
| pgu wrote: | ...
I just noticed that the structure in the emerged fail2ban.conf was depending upon a distro specific file which defined paths to the various log files and other distro specific items.
It appears that the general idea is that once the distro specific parts have been defined the program specific parts like sshd, postfix, etc are kept as generic as possible. |
With Gentoo, there is almost no common denominator. Each user builds their own system from the ground up, selecting components as if browsing a salad bar. Thus, things like paths to logs vary depending on those choices. If there was a Gentoo specific paths file, what choices would it depend on?
_________________
Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/23.0/split-usr/desktop (stable), OpenRC, -systemd -pulseaudio -uefi |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21644
|
| Posted: Mon Jan 08, 2024 9:21 pm Post subject: |
|
|
| Although systems are very customizable, Gentoo often suggests default values for many things. For example, my syslog-ng paths are probably the same as almost everyone else's, because I never felt the need to rename the log files. The Gentoo-specific fail2ban configurations could use the same values that Gentoo's reference configuration for syslog-ng suggests. Anyone who reuses the suggested paths from syslog-ng would then get a fail2ban that works with no further changes. |
|
| Back to top |
|
|
figueroa
Advocate
Joined: 14 Aug 2005
Posts: 2963
Location: Edge of marsh USA
|
| Posted: Mon Jan 08, 2024 9:53 pm Post subject: |
|
|
| Hu wrote: | | Although systems are very customizable, Gentoo often suggests default values for many things. For example, my syslog-ng paths are probably the same as almost everyone else's, because I never felt the need to rename the log files. The Gentoo-specific fail2ban configurations could use the same values that Gentoo's reference configuration for syslog-ng suggests. Anyone who reuses the suggested paths from syslog-ng would then get a fail2ban that works with no further changes. |
In theory, would a Gentoo-specific paths file include non-majority choices like metalog, courier (email), and so on?
_________________
Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/23.0/split-usr/desktop (stable), OpenRC, -systemd -pulseaudio -uefi |
|
| Back to top |
|
|
pgu
l33t
Joined: 30 Jul 2009
Posts: 721
Location: Oslo, Norway
|
| Posted: Wed Jan 10, 2024 4:51 am Post subject: |
|
|
| figueroa wrote: | | If there was a Gentoo specific paths file, what choices would it depend on? |
As I mentioned earlier it would at least be a different include file for openrc vs systems. But also other USE flag and package dependencies would come into play which might require something along an "emerge --ask --config fail2ban" type generation. |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21644
|
| Posted: Wed Jan 10, 2024 4:21 pm Post subject: |
|
|
Another option would be to ship a file with all the common options present as comments, and let the user uncomment the entries relevant to the system on which it is used.
figueroa: that depends on whether the maintainers are willing to carry the complexity of listing all those. If they are shipped in a way that does not disrupt systems where they are not useful, then I see no reason other than maintainer burden not to carry them. |
|
| Back to top |
|
|
pgu
l33t
Joined: 30 Jul 2009
Posts: 721
Location: Oslo, Norway
|
| Posted: Thu Jan 11, 2024 7:10 pm Post subject: |
|
|
Did anybody get fail2ban running on Gentoo using version 1.2 (or later) on an openrc system? Did you just ditch the new config structure and use an old one or did you change the new structure? In either case, are there any examples on how to do so? What adjustments was required to get the defaults to get it to work for something like ssh?
Running it out of the box with no changes results in:
| Code: |
# /etc/init.d/fail2ban start
OK: configuration test is successful
* Starting fail2ban ...
Server ready [ ok ]
# tail -5 /var/log/fail2ban.log
2024-01-11 19:58:10,365 fail2ban.server [5703]: INFO --------------------------------------------------
2024-01-11 19:58:10,366 fail2ban.server [5703]: INFO Starting Fail2ban v1.0.2
2024-01-11 19:58:10,366 fail2ban.server [5703]: INFO Daemon started
2024-01-11 19:58:10,368 fail2ban.observer [5703]: INFO Observer start...
2024-01-11 19:58:10,376 fail2ban.database [5703]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
# fail2ban-client status
Status
|- Number of jail: 0
`- Jail list:
# fail2ban-client status sshd
2024-01-11 19:59:38,379 fail2ban [5716]: ERROR NOK: ('sshd',)
Sorry but the jail 'sshd' does not exist
# ls -l /etc/fail2ban/jail.d
ls: cannot access '/etc/fail2ban/jail.d': No such file or directory
|
|
|
| Back to top |
|
|
figueroa
Advocate
Joined: 14 Aug 2005
Posts: 2963
Location: Edge of marsh USA
|
| Posted: Thu Jan 11, 2024 9:30 pm Post subject: |
|
|
Yes. Gentoo with OpenRC and MetaLog. I made a copy of /etc/fail2ban/jail.con as jail.local and made many a fair number of changes. Mainly, you have to discern where your logging for failed attempts to access are put.
| Code: | $ eix fail2ban
[I] net-analyzer/fail2ban
...
Installed versions: 1.0.2-r2
...
$ sudo fail2ban-client status sshd'
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/sshd/current
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list: |
I don't currently get many hits. But when I do, the intruders are banned.
I also have fail2ban (pre 1.0.2) running on some remote desktops running Linux Mint and MX-Linux. Some of the addresses are busy:
| Code: | $ sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 66
| |- Total failed: 115410
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 87
|- Total banned: 1042
`- Banned IP list: 143.244.180.103 135.148.139.100 69.49.230.238 49.51.196.148 170.106.197.113 192.81.211.213 143.198.151.5 96.67.59.65 43.153.109.107 43.153.19.12 146.70.41.161 206.81.4.22 43.153.120.120 135.148.87.70 43.153.97.143 20.141.43.88 162.241.208.68 43.153.60.228 43.130.48.196 38.59.244.113 170.106.103.24 43.153.14.111 161.35.106.13 43.153.35.39 43.153.19.25 74.40.19.68 143.198.164.224 167.99.228.15 23.239.19.118 50.192.223.205 170.106.192.5 150.136.32.211 35.229.111.120 165.232.130.204 43.135.146.161 142.93.121.16 170.106.98.234 43.153.75.83 43.153.69.156 12.21.5.10 162.144.98.123 104.208.137.213 159.65.186.4 43.135.172.35 165.140.242.242 159.203.105.15 74.48.21.78 143.244.144.227 107.182.20.3 43.130.37.230 104.245.34.250 35.226.126.79 104.236.111.25 73.15.203.143 156.232.13.138 97.68.57.241 205.185.126.57 155.248.215.65 99.37.212.76 43.153.46.251 43.135.167.165 43.159.132.243 143.110.227.81 137.184.38.254 137.184.119.247 44.208.155.41 143.110.233.177 49.51.206.157 198.199.66.41 69.4.142.98 107.175.35.84 64.225.9.130 35.229.64.102 65.73.231.122 34.171.171.156 146.190.126.81 165.154.183.23 173.31.5.229 205.185.127.240 43.135.167.36 174.138.54.13 159.203.170.197 49.51.207.184 103.143.249.129 43.153.51.250 162.0.216.94 43.153.48.149 |
_________________
Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/23.0/split-usr/desktop (stable), OpenRC, -systemd -pulseaudio -uefi |
|
| Back to top |
|
|
pgu
l33t
Joined: 30 Jul 2009
Posts: 721
Location: Oslo, Norway
|
| Posted: Mon Jan 15, 2024 7:27 pm Post subject: |
|
|
I gave it a try to modify the include file and then enable sshd and it appears to be working. Here's "/etc/fail2ban/paths-gentoo-openrc-sysklogd.conf"
| Code: |
# gentoo
[INCLUDES]
before = paths-common.conf
after = paths-overrides.local
[DEFAULT]
apache_error_log = /var/log/httpd/*error_log
apache_access_log = /var/log/httpd/*access_log
exim_main_log = /var/log/exim/main.log
mysql_log = /var/log/mariadb/mariadb.log
/var/log/mysqld.log
roundcube_errors_log = /var/log/roundcubemail/errors
syslog_backend = auto
sshd_backend = auto
dropbear_backend = auto
proftpd_backend = auto
pureftpd_backend = auto
wuftpd_backend = auto
postfix_backend = auto
dovecot_backend = auto
|
Copied jail.conf to jail.local and changed
| Code: |
#before = paths-distro.conf
before = paths-gentoo-openrc-sysklogd.conf
|
and the JAIL sshd part:
| Code: |
#
# JAILS
#
#
# SSH servers
#
[sshd]
# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode = normal
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
enabled = true
banaction = nftables-multiport
|
And now "fail2ban-client status sshd" will show:
| Code: |
Status for the jail: sshd
|- Filter
| |- Currently failed: 1
| |- Total failed: 2492
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 2
|- Total banned: 400
`- Banned IP list: 209.38.232.83 86.104.40.254
|
Disclaimer. This is the first time I've used fail2ban and I don't know if the above is correct. But it seem to work as "nft list ruleset" will list the banned IP's as reject with icmp port-unreachable:
| Code: |
table inet f2b-table {
set addr-set-sshd {
type ipv4_addr
elements = { 86.104.40.254, 209.38.232.83 }
}
chain f2b-chain {
type filter hook input priority filter - 1; policy accept;
tcp dport 22 ip saddr @addr-set-sshd reject with icmp port-unreachable
}
}
|
|
|
| Back to top |
|
|
figueroa
Advocate
Joined: 14 Aug 2005
Posts: 2963
Location: Edge of marsh USA
|
| Posted: Wed Jan 17, 2024 5:08 am Post subject: |
|
|
pgu -- good work. It looks like your fail2ban is now working. I think you may have created paths-pgo.conf, at least it wouldn't work for me using metalog and courier-imap and its components. Right or wrong, this is what my /var/log looks like:
| Code: | $ ls /var/log
apache2/ fail2ban.log rc.log
apctest.output fail2ban.log-20231224.gz rc.log-20231211.gz
apcupsd.events fail2ban.log-20231231.gz rc.log-20231219.gz
boot fail2ban.log-20240107.gz rc.log-20231231.gz
boot-20231211.gz fail2ban.log-20240114.gz rc.log-20240109.gz
boot-20231219.gz kernel/ sa/
boot-20231231.gz lastlog sandbox/
boot-20240109.gz lightdm/ sshd/
clamav/ live-usb-maker.log tallylog
critical/ live-usb-maker.progress telnet/
cron/ mail/ wtmp
cups/ metalog/ wtmp-20230707.gz
dcc/ mx-live-usb-maker.log Xorg.0.log
dmesg mx-live-usb-maker.log.old Xorg.0.log.old
emerge-fetch.log partimage/ Xorg.1.log
emerge.log portage/ Xorg.1.log.old
everything/ pwdfail/ |
_________________
Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/23.0/split-usr/desktop (stable), OpenRC, -systemd -pulseaudio -uefi |
|
| Back to top |
|
|
pgu
l33t
Joined: 30 Jul 2009
Posts: 721
Location: Oslo, Norway
|
| Posted: Thu Jan 18, 2024 6:57 am Post subject: |
|
|
I'm not using apache, exim and mysql so I removed the paths from paths-gentoo-openrc-sysklogd.conf and it's still working fine with sshd:
| Code: |
# gentoo
[INCLUDES]
before = paths-common.conf
after = paths-overrides.local
[DEFAULT]
# These services will log to the journal via syslog, so use the journal by
# default.
syslog_backend = auto
sshd_backend = auto
dropbear_backend = auto
proftpd_backend = auto
pureftpd_backend = auto
wuftpd_backend = auto
postfix_backend = auto
dovecot_backend = auto
|
However, I get some warnings in the log which seem to be related to dns:
| Code: |
2024-01-18 06:02:37,483 fail2ban.filter [30074]: INFO [sshd] Found 222.186.16.201 - 2024-01-18 06:02:33
2024-01-18 07:46:19,924 fail2ban.ipdns [30074]: WARNING Unable to find a corresponding IP address for #: [Errno -2] Name or service not known
2024-01-18 07:46:21,981 fail2ban.ipdns [30074]: WARNING Unable to find a corresponding IP address for -: [Errno -2] Name or service not known
2024-01-18 07:46:21,982 fail2ban.filter [30074]: INFO [sshd] Found 64.62.197.95 - 2024-01-18 07:46:19
|
|
|
| Back to top |
|
|
|
Networking & Security
