Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fail2ban: Upgrade to fail2ban-0.10 #5943

Closed
stephdl opened this issue Nov 21, 2019 · 18 comments
Labels

Comments

@stephdl
Copy link

@stephdl stephdl commented Nov 21, 2019

Fail2ban proposes a new major version in epel-testing (version 0.10) , this version is the current stable version of fail2ban with major improvements.

Proposed solution

The NFR will make available the new version of fail2ban with a switch to shorewall-ipset for the jail manager


Thank for ideas, code and support @gsanchietti @filippocarletti

@stephdl stephdl self-assigned this Nov 21, 2019
@stephdl stephdl mentioned this issue Nov 21, 2019
stephdl added a commit to NethServer/nethserver-fail2ban that referenced this issue Nov 21, 2019
Upgrade to Fail2ban0.10  NethServer/dev#5943
@nethbot

This comment has been minimized.

Copy link
Member

@nethbot nethbot commented Nov 21, 2019

in 7.7.1908/testing:

gsanchietti added a commit to NethServer/nethserver-firewall-base that referenced this issue Nov 21, 2019
Both templates are used by fail2ban 0.10

NethServer/dev#5943
@nethbot

This comment has been minimized.

Copy link
Member

@nethbot nethbot commented Nov 21, 2019

in 7.7.1908/testing:

@DavidePrincipi DavidePrincipi added this to ⚙ Developing in NethServer 7 Nov 21, 2019
@nethbot

This comment has been minimized.

Copy link
Member

@nethbot nethbot commented Nov 21, 2019

in 7.7.1908/testing:

@stephdl

This comment has been minimized.

Copy link
Author

@stephdl stephdl commented Nov 22, 2019

QA

  1. fresh install
    after the install fail2ban is up
  • you must find iptables rules f2b-x for each jails (iptables -L)
  • you can check if the ipset set are up, after a while you must check that some IP could be inside (ipset -L)
  • ban yourself, check you go to jail, do it several time, you must go to recidive
  • unban yourself with (fail2ban-unban 1.2.3.4)
  • check fail2ban-listban list all jails and banned IP
  • each night at 11h45 a cron update the statistics, you could simulate it by launching the command line /usr/libexec/nethserver/fail2ban-statistics)
  • you must valid that each jails is workable, reading https://github.com/NethServer/nethserver-fail2ban/blob/master/lib/perl/NethServer/Fail2Ban.pm, you have to create a fake log and if needed enable a status property to demonstrate the jail has been well started by fail2ban (after for each jail expand and restart by signal-event nethserver-fail2ban-save)
  • install a rpm like sogo or webtop, the relevant jails must be started after the installation, check that the event firewall-base-save trigger the expand of /etc/fail2ban/jail.local and restart the service.
  1. upgrade
    check the whole things above and after the installation, the shorewall show dynamic must have noting more in jails
@stephdl stephdl added the testing label Nov 22, 2019
@stephdl stephdl removed their assignment Nov 22, 2019
@stephdl stephdl removed the testing label Nov 22, 2019
@stephdl

This comment has been minimized.

Copy link
Author

@stephdl stephdl commented Nov 22, 2019

please @gsanchietti could you review the QA

@gsanchietti

This comment has been minimized.

Copy link
Member

@gsanchietti gsanchietti commented Nov 25, 2019

The QA description is very good, we're already testing the package!

@gsanchietti gsanchietti added the testing label Nov 25, 2019
@gsanchietti

This comment has been minimized.

Copy link
Member

@gsanchietti gsanchietti commented Nov 25, 2019

Test case2: FAILED

After the upgrade, the previous shorewall blacklist is still in place.
To workaround the problem:

iptables -F dynamic
shorewall save
@gsanchietti gsanchietti removed the testing label Nov 25, 2019
@stephdl

This comment has been minimized.

Copy link
Author

@stephdl stephdl commented Nov 25, 2019

do you think we need to make an action to clean it ?

@gsanchietti

This comment has been minimized.

Copy link
Member

@gsanchietti gsanchietti commented Nov 26, 2019

Test case 1: FAILED

Even if automatic activation of jails seems working as expected, I've found some other issues.

  • If fail2ban is not enabled, all ipsets and and blocking rules should be disabled.
    When fail2ban is not running, both /etc/e-smith/templates/etc/shorewall/blrules/20fail2ban and /etc/e-smith/templates/etc/shorewall/initdone/20fail2ban should return no output.

  • UI: fail2ban can be enabled/disabled from 2 different pages: Jails and Settings. The enabled/disabled switch should be present only inside the Settings page

  • The BanTime property is not honored: all ipset are created with a BanTime of 600 (it's fixed in blrules template)

  • On BanTime change, the property is not changed on existing ipsets

  • If Recidive_Perpetual is enabled, the IP are removed from recidive, from log:

    2019-11-26 17:53:45,501 fail2ban.actions        [2529]: NOTICE  [sshd] Ban 192.168.5.3
    2019-11-26 17:53:45,697 fail2ban.filter         [2529]: INFO    [recidive] Found 192.168.5.3 - 2019-11-26 17:53:45
    2019-11-26 17:53:45,701 fail2ban.actions        [2529]: NOTICE  [recidive] Ban 192.168.5.3
    2019-11-26 17:53:47,712 fail2ban.actions        [2529]: NOTICE  [recidive] Unban 192.168.5.3
    
gsanchietti added a commit to NethServer/nethserver-fail2ban that referenced this issue Nov 27, 2019
@nethbot

This comment has been minimized.

Copy link
Member

@nethbot nethbot commented Nov 27, 2019

in 7.7.1908/testing:

gsanchietti added a commit to NethServer/nethserver-firewall-base that referenced this issue Nov 27, 2019
@nethbot

This comment has been minimized.

Copy link
Member

@nethbot nethbot commented Nov 27, 2019

in 7.7.1908/testing:

gsanchietti added a commit to NethServer/nethserver-fail2ban that referenced this issue Nov 27, 2019
Multiple fixes for Fail2Ban 0.10

NethServer/dev#5943
@nethbot

This comment has been minimized.

Copy link
Member

@nethbot nethbot commented Nov 27, 2019

in 7.7.1908/testing:

stephdl added a commit to NethServer/nethserver-fail2ban that referenced this issue Nov 27, 2019
Fix recidive perpetual with ipset NethServer/dev#5943
@nethbot

This comment has been minimized.

Copy link
Member

@nethbot nethbot commented Nov 27, 2019

in 7.7.1908/testing:

@gsanchietti

This comment has been minimized.

Copy link
Member

@gsanchietti gsanchietti commented Nov 27, 2019

All fixes are working correctly so far.

stephdl added a commit to NethServer/nethserver-fail2ban that referenced this issue Nov 28, 2019
UI: remove double enable/disable button, improve ban list page NethServer/dev#5943
@nethbot

This comment has been minimized.

Copy link
Member

@nethbot nethbot commented Nov 28, 2019

in 7.7.1908/testing:

@gsanchietti

This comment has been minimized.

Copy link
Member

@gsanchietti gsanchietti commented Nov 28, 2019

Back to testing, even all fixes have been tested, I would like more feedback from community.

@nethbot

This comment has been minimized.

Copy link
Member

@nethbot nethbot commented Dec 2, 2019

in 7.7.1908/updates:

@nethbot

This comment has been minimized.

Copy link
Member

@nethbot nethbot commented Dec 2, 2019

in 7.7.1908/updates:

@gsanchietti gsanchietti closed this Dec 2, 2019
NethServer 7 automation moved this from ⚙ Developing to 🗑 Done Dec 2, 2019
stephdl added a commit to NethServer/nethserver-fail2ban that referenced this issue Dec 2, 2019
Fail2ban-unban is a wrapper to unban NethServer/dev#5943
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
NethServer 7
🗑 Done
4 participants
You can’t perform that action at this time.