[geloest] Fail2ban banaction hier iptables Regeln
Verfasst: 28.12.2023 15:21:43
Hallo Ihr Lieben,
ich betreibe eine eigene Mail Infrastruktur und möchte diese nun durch fail2ban zusätzlich absichern. Absichern möchte ich das erstmal lokal über iptables Regeln auf den Server wo die Mail Dienste laufen. Später möchte ich dann auch noch die public IP über den zentralen Router über iptables Regeln sperren. Dazu verwende ich ein php Script das die Public IP in eine MariaDB schreibt. Leider funktioniert das iptables Regelwerk auf dem lokalen Debian Server wo die Mail Dienste laufen nicht. Ich bekomme folgende Fehlermeldungen in der Log Datei. Ich habe zu den fehlerhaften Anmeldeversuchen folgende Information per Mail erhalten.
Ich lege Euch meine relevanten Konfiguration bei.
Und noch meine iptables Regeln
Ich würde mich sehr freuen wenn Ihr mich unterstützen könntet.
Gruß von Stefan Harbich
ich betreibe eine eigene Mail Infrastruktur und möchte diese nun durch fail2ban zusätzlich absichern. Absichern möchte ich das erstmal lokal über iptables Regeln auf den Server wo die Mail Dienste laufen. Später möchte ich dann auch noch die public IP über den zentralen Router über iptables Regeln sperren. Dazu verwende ich ein php Script das die Public IP in eine MariaDB schreibt. Leider funktioniert das iptables Regelwerk auf dem lokalen Debian Server wo die Mail Dienste laufen nicht. Ich bekomme folgende Fehlermeldungen in der Log Datei.
Code: Alles auswählen
root@dsme01:~# tail -f /var/log/fail2ban.log | grep ERROR
2023-12-28 14:02:15,044 fail2ban.utils [1491660]: ERROR 7f24e8cd9030 -- exec: iptables -w -N f2b-postfix-sasl
2023-12-28 14:02:15,044 fail2ban.utils [1491660]: ERROR 7f24e8cd9030 -- stderr: 'iptables: Chain already exists.'
2023-12-28 14:02:15,044 fail2ban.utils [1491660]: ERROR 7f24e8cd9030 -- stderr: 'iptables: No chain/target/match by that name.'
2023-12-28 14:02:15,044 fail2ban.utils [1491660]: ERROR 7f24e8cd9030 -- returned 1
2023-12-28 14:02:15,044 fail2ban.actions [1491660]: ERROR Failed to execute ban jail 'postfix-sasl' action 'iptables-multiport' info 'ActionInfo({'ip': '89.148.214.11', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7f24eb2bfca0>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7f24eb2c03a0>})': Error starting action Jail('postfix-sasl')/iptables-multiport: 'Script error'
Code: Alles auswählen
Hi,
The IP 89.148.214.11 has just been banned by Fail2Ban after
3 attempts against postfix-sasl.
Here is more information about 89.148.214.11 :
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See https://apps.db.ripe.net/docs/HTML-Terms-And-Conditions
% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '89.148.212.0 - 89.148.219.255'
% Abuse contact for '89.148.212.0 - 89.148.219.255' is 'abuse@mtu.ru'
inetnum: 89.148.212.0 - 89.148.219.255
netname: CCL-HOME13
descr: Single users interfaces
geoloc: 58.010374 56.229398
country: RU
admin-c: NA2029-RIPE
tech-c: NA2029-RIPE
status: ASSIGNED PA
mnt-by: UTC-MNT
mnt-by: RU-CCL-MNT
mnt-domains: MR-URAL-MTS-MNT-FIX
created: 2015-09-07T07:23:33Z
last-modified: 2019-07-19T14:31:45Z
source: RIPE
role: Network Administrator
address: First Perm Internet Centre
address: 47b, Sovetckaya street
address: 614045 Perm
address: Russia
phone: +7 342 2206415
phone: +7 342 2120258
fax-no: +7 342 2108066
org: ORG-FN5-RIPE
admin-c: KSN42-RIPE
tech-c: KSN42-RIPE
nic-hdl: NA2029-RIPE
abuse-mailbox: abuse@mtu.ru
mnt-by: RU-CCL-MNT
created: 2007-04-12T06:07:01Z
last-modified: 2019-04-17T08:52:52Z
source: RIPE # Filtered
% Information related to '89.148.192.0/18AS15640'
route: 89.148.192.0/18
descr: DELEGATED BLOCK
origin: AS15640
mnt-by: RU-CCL-MNT
created: 2006-02-16T12:59:13Z
last-modified: 2006-02-16T12:59:13Z
source: RIPE # Filtered
% This query was served by the RIPE Database Query Service version 1.109.1 (DEXTER)
Lines containing failures of 89.148.214.11 (max 1000)
Dec 28 07:24:15 dsme01 postfix/smtpd[1190756]: warning: hostname homeuser214-11.ccl.perm.ru does not resolve to address 89.148.214.11: Name or service not known
Dec 28 07:24:15 dsme01 postfix/smtpd[1190756]: connect from unknown[89.148.214.11]
Dec 28 07:24:17 dsme01 postfix/smtpd[1190756]: warning: unknown[89.148.214.11]: SASL CRAM-MD5 authentication failed: generic failure
Dec 28 07:24:17 dsme01 postfix/smtpd[1190756]: warning: unknown[89.148.214.11]: SASL PLAIN authentication failed: generic failure
Dec 28 07:24:18 dsme01 postfix/smtpd[1190756]: warning: unknown[89.148.214.11]: SASL LOGIN authentication failed: generic failure
Dec 28 07:24:18 dsme01 postfix/smtpd[1190756]: disconnect from unknown[89.148.214.11] ehlo=2 starttls=1 auth=0/3 quit=1 commands=4/7
Regards,
Fail2Ban
Code: Alles auswählen
root@dsme01:~# cat /etc/fail2ban/jail.local
[INCLUDES]
before = paths-debian.conf
[DEFAULT]
ignoreip = 127.0.0.1/8 ::1 192.168.0.0/16 185.26.156.77
ignorecommand =
bantime = 24h
findtime = 10m
maxretry = 3
maxmatches = %(maxretry)s
backend = auto
usedns = warn
logencoding = auto
enabled = false
mode = normal
filter = %(__name__)s[mode=%(mode)s]
destemail = stefan.harbich@example.com
sender = fail2ban@example.com
mta = mail
protocol = tcp
chain = input
port = 0:65535
fail2ban_agent = Fail2Ban/%(fail2ban_version)s
banaction = iptables-multiport
action_ = %(banaction)s[port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mw = %(action_)s
%(mta)s-whois[sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mwl = %(action_)s
%(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
action_xarf = %(action_)s
xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath="%(logpath)s", port="%(port)s"]
action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
%(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
action_blocklist_de = blocklist_de[email="%(sender)s", service="%(__name__)s", apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]
action_abuseipdb = abuseipdb
action = %(action_mwl)s
[postfix-sasl]
enabled = true
filter = postfix[mode=auth]
maxretry = 2
bantime = 24h
findtime = 10m
port = 25,465,993
logpath = %(postfix_log)s
backend = %(postfix_backend)s
Code: Alles auswählen
root@dsme01:~# cat /etc/fail2ban/action.d/iptables-multiport.conf
[INCLUDES]
before = iptables-common.conf
[Definition]
actionstart = <iptables> -N f2b-<name>
<iptables> -A f2b-<name> -j <returntype>
<iptables> -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
<actionflush>
<iptables> -X f2b-<name>
actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'
actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype> |/etc/fail2ban/fail2ban-central/fail2ban.php <name> <protocol> <port> <ip>
actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>
[Init]
Code: Alles auswählen
root@dsme01:~# cat /etc/fail2ban/fail2ban-central/fail2ban.php
#!/usr/bin/php
<?php
//REQUIREMENTS:
//sudo apt-get install php7.0 php-mysql
//MANUAL COMMANDS:
//
//UNBAN: sudo fail2ban-client set domoticz unbanip Ban 5.90.201.166
/*
Open the "jail.local" file and find the "banaction" used by the rule
It's necessary to add the following line to the "banaction" rule used.
php /home/domoticz/fail2ban-central/fail2ban.php <name> <protocol> <port> <ip>
EXAMPLE: if you use "iptables-multiport.conf" replace:
---------------------------------------------------------
actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
---------------------------------------------------------
with:
---------------------------------------------------------
actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
php /home/domoticz/fail2ban-central/fail2ban.php <name> <protocol> <port> <ip>
---------------------------------------------------------
*/
require_once((dirname(__FILE__))."/config.php");
$name = $_SERVER["argv"][1];
$protocol = $_SERVER["argv"][2];
$port = $_SERVER["argv"][3];
if (!preg_match('/^\d{1,5}$/', $port))
$port = getservbyname($_SERVER["argv"][3], $protocol);
$ip = $_SERVER["argv"][4];
$hostname = gethostname();
$query = "INSERT INTO `".$tablename."`(`hostname`, `created`, `name`, `protocol`, `port`, `ip`) VALUES ('".addslashes($hostname)."',NOW(),'".addslashes($name)."','".addslashes($protocol)."','".addslashes($port)."','".addslashes($ip)."')";
if (mysqli_query($link, $query)) {
echo "Ip to BAN added to DATABASE";
} else {
echo "Error: " . $query . "<br>" . mysqli_error($link);
}
mysqli_close($link);
exit;
?>
Code: Alles auswählen
root@dsme01:~# cat /etc/fail2ban/fail2ban-central/config.php
#!/usr/bin/php
<?php
////////////////////////////////
// DEFAULT CONFIGURATION FILE //
// -------------------------- //
// CHANGE PARAMETERS //
// AND SAVE IT AS: //
// "config.php" //
////////////////////////////////
// jail to be used
$jail = "fail2ban-central";
// you can use one of your jail or create a specific one
// file to keep the last ban
$lastbanfile="/etc/fail2ban/lastban";
// database configuration, use only one central mysql server
$dbserver="localhost";
$dbuser="fail2ban";
$dbpass="fail2ban";
$dbname="fail2ban";
$tablename="fail2ban";
// connect to database
$link = mysqli_connect($dbserver, $dbuser, $dbpass, $dbname);
if (!$link) {
echo "Error: Unable to connect to MySQL." . PHP_EOL;
echo "Debugging errno: " . mysqli_connect_errno() . PHP_EOL;
echo "Debugging error: " . mysqli_connect_error() . PHP_EOL;
exit;
}
?>
Code: Alles auswählen
root@dsme01:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (2 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.30.32.6 tcp dpt:http
ACCEPT tcp -- anywhere 172.30.33.2 tcp dpt:9099
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-postfix-sasl (0 references)
target prot opt source destination
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
Gruß von Stefan Harbich