-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Asterisk / UDP / Connection Tracking / Priority of default rules #2503
Comments
Do I correct understand the action used here is some of @fail2ban/contributors, @fail2ban/maintainers Any idea what we can do here?
Hmm... why this should be an issue? If I correct understand this rule causes accept for ESTABLISHED connections only. So the new connection for banned IPs were not affected by this rule.
Connection tracking per default? o..O |
On Fedora standard installation, firewalld is installed. However not all rules are visible with firewall-cmd, some need to be modified with iptables. As I prefer firewalld, I have deleted the breaking iptables rule (you cited the correct one in your question) and I have readded it with a higher priority with firewall-cmd. I think you can not set priorities with iptables but you can with firewall-cmd but I might be mistaken. Anyway, these might be details. |
I think fail2ban will correctly block new TCP connections trying to connect to your asterisk server but for UDP, my impression is that the tcp/ip stack can not track the connection state with certainity as udp seems to lack that information. as a workaround, it will look at source ip, maybe delay and port number in order to decide between NEW or ESTABLISHED. and the password hammering will always be considered as ESTABLISHED and therefore is always allowed and therefore that rule will absolutely need a higher priority nubmer so it is executed after the fail2ban blocking rule. |
Sorry, I should have posted my jail.local [DEFAULT] [sshd] [asterisk] |
You don't need it... because one can use insert instead of append, so able to insert a rule at any position.
If you don't have some other "bothering" rules as priority 0. Thus I will say it is broken per design, so I don't know what we can do here. If you have other idea (about how it would be resolvable within firewalld-actions) - welcome with PR with that stuff. I don't think that using conntrack as in your workaround is good at all (keyword performance), as well as don't see how it would be applicable as some regular solution for the actions (but to be honest I'm not so familiar with firewalld). |
My workaround is removing the offending rules andn reinserting them at a highder priority. I assume the same problem applies to various linux distributions. Maybe someone should open a bug with those distributions and ask them to have the default rules at a higher priority number so that fail2ban can override them. Otherwise I still think fail2ban should be responsibe for inserting its rules at the correct priority even if that means removing already existing rules and reinserting them at a higher priority. How to best achive this - you are more qualified to figure this out than I am. |
As already said, I don't see any "correct" possibility to achieve that... as long as the "default" firewald rule set does not really intend to arrange some enhancements ahead default rules (and how it looks it does not at the moment). If you still want to use
We don't do that. The question is pretty simple: why you are thinking fail2ban is responsible for a "disaster" basically introduced by some explicit allowing rules, that are placed as prio-0 per default (before any other rules)?... I can reopen the issue if it is your intention, but don't think it changes something as long as some default allowing rules are conflicting with the blocking rules, that were properly added by fail2ban on place, where it is only possible (per default). |
thanks, lets see what happens |
Isn't this a duplicate of #1609 ? |
#1609 refers to TCP traffic where f2b doesn't terminate existing connections. As far as I can tell, the OP is referring to UDP traffic. That said, #1609 remains a problem. Sendmail is a particular issue -- it does not automatically terminate connections after failures the way, e.g., sshd does. A spammer can sit and try numerous bad passwords, or bad recipients, or whatever, and even though f2b will ban them through sendmail-reject or some other rule (I've got one for saslauthd failures), it won't actually terminate the connection, and f2b will then complain that " is already banned" when it tries to ban them over and over. I tried to implement the "tcpcut" script given by a contributor to that thread, but it seems to do nothing. I think 1609 might need to be reopened, as well -- while technically it's a 3rd-party issue, the 3rd-party software is behaving "as intended," so I think the termination of the TCP (or UDP, in the case of this thread) will have to be implemented within f2b. (And, really, it would seem like this fits in f2b's charter... there's not much effectiveness in blocking traffic if existing traffic from offenders isn't also terminated.) |
It's the same cause. Firewalld's default ruleset has an early "accept existing connections". This affects both TCP and UDP. Firewalld has two backends; iptables and nftables. In the iptables backend the generic "accept existing connections" occurs before rules addded via |
Thus closed:
|
Just to note, I use iptables, not firewalld, and I have the same problem noted in #1609. (I don't know if I have the same problem as in THIS thread since I'm not working with UDP packets.) I'll open a comment there, although that thread is closed... |
Basically answered in #1609 (comment) As already said it is not directly the same problem - if your firewalld (or rather some prerouting rules created by it) are active, you have quasi a white-listing for established connections. Simplest solution would be to eliminate the conflict, despite I don't understand at all which advantages such prerouting using connection tracking (conntrack, Karl!) may provide. |
Fedora 30, 64bit
Fail2Ban v0.10.4, installed with dnf, no customizations
There is a general problem with fail2ban. There are iptables rules set by the linux distributions or iptables by default that are interfering with fail2ban. The internet is full of complaints that banning UDP with fail2ban does not work (especially in conjunction with the asterisk jail). I was able to verify these complaints. However I could not find a solution for that although I was spending a lot of time googleing it.
On a fresh fedora 30 installation with firewalld enabled, iptables -S will show me
So the rule that is breaking the proper functionality of fail2ban is this one:
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
The reason is that all fail2ban rules are added with the same priority of 0. As they are added later, they will in fact be executed after the ACCEPT rule from above. This will result in confusing error messages (XXX is already banned), at least for UDP where connection tracking seems to work differently than for TCP.
I fixed this problem by putting into /etc/rc.d/rc.local:
However I am not sure if I should add FORWARD rules as well and wheter I should use --permanent. I am also not sure if fail2ban should fix this or wheter it is an issue of the linux distribution. I am not even sure wheter this problem exists with other distributions. I am also unsure why I have to use a mixture of iptables and firewall-cmd to fix this.
The question now is: Should fail2ban dected this/such rules and change priorities so that block rules are executed first?
The text was updated successfully, but these errors were encountered: