docpublic:systemes:fail2ban

Fail2ban et Firewalld
erreur , echecs
references

Fail2ban et Firewalld

l'objectif initial est de bannir les acces en bruteforce au login frauduleux sur wordpress

helas, l'installation des packages fail2ban et fail2-firewalld ne fonctionne pas par defaut, il faut proceder a des adaptations

install

yum install fail2ban fail2ban-firewalld
fail2ban-0.11.2-1.el8.noarch
fail2ban-firewalld-0.11.2-1.el8.noarch

configuration

il a fallu adapter les regles par defaut , notament sur les actions firewalld

[root@wmu fail2ban]# cat /etc/fail2ban/jail.d/00-firewalld.conf
# This file is part of the fail2ban-firewalld package to configure the use of
# the firewalld actions as the default actions.  You can remove this package
# (along with the empty fail2ban meta-package) if you do not use firewalld
[DEFAULT]
banaction = firewallcmd-rich-rules[actiontype=<multiport>]
banaction_allports = firewallcmd-rich-rules[actiontype=<allports>]

ceci est a associer a /etc/fail2ban/action.d/firewallcmd-rich-rules.conf qui lui reste inchangé

jail wordpress

toutes les lignes en commentaires representent les divers essais / echec des valeurs proposées par defaut sur plusieurs sites …

[root@wmu ~]# cat /etc/fail2ban/jail.d/wordpress.conf 
# https://www.dogsbody.com/blog/how-to-set-up-fail2ban-for-a-wordpress-site/
[wordpress]
enabled = true
#banaction = iptables-multiport
#banaction = firewallcmd-new
#banaction = firewallcmd-ipset
#banaction = firewallcmd-rich-rules
port = http,https
filter = wordpress
#action = iptables-multiport[name=wordpress, port="http,https", protocol=tcp]
#action =  %(action_mwl)s
logpath = /var/log/httpd/ssl_access_log
maxretry = 3
findtime = 120
bantime = 120

filtre associé

[root@wmu ~]# cat /etc/fail2ban/filter.d/wordpress.conf 
[Definition]
failregex = ^<HOST> .* "POST .*wp-login.php
            ^<HOST> .* "POST .*xmlrpc.php
ignoreregex =

séparateur de ports

il faut aussi corriger une erreur d'interpretation des multiports avec le séparateur “-” au lieu de “:” , cf references [2]

1) dans jail.local

[root@wmu fail2ban]# vim /etc/fail2ban/jail.local 

# Ports to be banned
# Usually should be overridden in a particular jail
##port = 0:65535
#https://bugzilla.redhat.com/show_bug.cgi?id=1823746 JP
port = 0-65535

2) mais aussi dans firewallcmd-common.conf

[root@wmu fail2ban]# vim /etc/fail2ban/action.d/firewallcmd-common.conf

# JP comment : to  - 
#port = 1:65535
port = 1-65535

resultat operationel

quand cela marche, on doit voir dans les log fail2ban le “match” de notre regle suivit par un Ban si le maxtry est atteint :

[root@wmu fail2ban]# tail -f /var/log/fail2ban.log 
2022-06-26 20:30:46,881 fail2ban.actions        [503794]: NOTICE  [wordpress] Ban 139.59.109.241
2022-06-26 20:31:12,698 fail2ban.filter         [503794]: INFO    [wordpress] Found 34.68.4.41 - 2022-06-26 20:31:12
2022-06-26 20:31:13,300 fail2ban.filter         [503794]: INFO    [wordpress] Found 34.68.4.41 - 2022-06-26 20:31:13
2022-06-26 20:31:13,451 fail2ban.actions        [503794]: NOTICE  [wordpress] Ban 34.68.4.41
2022-06-26 20:31:31,007 fail2ban.actions        [503794]: NOTICE  [wordpress] Unban 188.164.193.182
2022-06-26 20:31:33,333 fail2ban.filter         [503794]: INFO    [wordpress] Found 159.89.132.193 - 2022-06-26 20:31:32
2022-06-26 20:31:33,338 fail2ban.actions        [503794]: NOTICE  [wordpress] Unban 206.81.3.84
2022-06-26 20:31:34,138 fail2ban.filter         [503794]: INFO    [wordpress] Found 159.89.132.193 - 2022-06-26 20:31:33
2022-06-26 20:31:34,294 fail2ban.actions        [503794]: NOTICE  [wordpress] Ban 159.89.132.193

et cela se traduit par une regle correspondante dans le firewall

[root@wmut2 fail2ban]# firewall-cmd --list-rich-rules
rule family="ipv4" source address="188.164.193.182" port port="https" protocol="tcp" reject type="icmp-port-unreachable"
rule family="ipv4" source address="174.138.27.203" port port="https" protocol="tcp" reject type="icmp-port-unreachable"
rule family="ipv4" source address="85.25.211.247" port port="https" protocol="tcp" reject type="icmp-port-unreachable"
rule family="ipv4" source address="157.159.0.0/17" service name="ssh" log prefix="ssh157/17" accept
rule family="ipv4" source address="139.59.109.241" port port="https" protocol="tcp" reject type="icmp-port-unreachable"
rule family="ipv4" source address="34.68.4.41" port port="https" protocol="tcp" reject type="icmp-port-unreachable"
rule family="ipv4" source address="206.81.3.84" port port="https" protocol="tcp" reject type="icmp-port-unreachable"
rule family="ipv4" source address="157.159.10.0/24" service name="snmp" log prefix="snmp10" accept

visible egalement dans les regles natives netfilter/nftable

chaichain filter_IN_public_deny {
		ip saddr 143.244.147.196 tcp dport 443 ct state { new, untracked } reject
		ip saddr 148.72.244.104 tcp dport 443 ct state { new, untracked } reject
		ip saddr 123.25.115.29 tcp dport 443 ct state { new, untracked } reject

car c'est bien nft qui tourne au final, cf :

[root@wmu fail2ban]# grep -i 'FirewallBackend' /etc/firewalld/firewalld.conf
# FirewallBackend
FirewallBackend=nftables

etat du jail wordpress

[root@wmu ~]# fail2ban-client status wordpress
Status for the jail: wordpress
|- Filter
|  |- Currently failed:	3
|  |- Total failed:	1244
|  `- File list:	/var/log/httpd/ssl_access_log
`- Actions
   |- Currently banned:	7
   |- Total banned:	410
   `- Banned IP list:	37.15.142.43 137.184.237.153 69.36.169.138 147.182.230.210 62.171.169.89 207.46.234.202 188.68.47.175

erreur , echecs

apres 2 premieres corrections sur le passage a une action de type firewallcmd-rich-rules et remplacement sur “:” par “-” pour le multiport

l'ajout de regle continue d'echouer

[root@wmu ~]# fail2ban-client -d | grep 'wordpres'
['add', 'wordpress', 'auto']
['set', 'wordpress', 'usedns', 'warn']
['multi-set', 'wordpress', 'addfailregex', ['^<HOST> .* "POST .*wp-login.php', '^<HOST> .* "POST .*xmlrpc.php']]
['set', 'wordpress', 'maxretry', 12]
['set', 'wordpress', 'maxmatches', 12]
['set', 'wordpress', 'findtime', '120']
['set', 'wordpress', 'bantime', '120']
['set', 'wordpress', 'ignorecommand', '']
['set', 'wordpress', 'logencoding', 'auto']
['set', 'wordpress', 'addlogpath', '/var/log/httpd/ssl_access_log', 'head']
['set', 'wordpress', 'addaction', 'firewallcmd-rich-rules']
['multi-set', 'wordpress', 'action', 'firewallcmd-rich-rules', [['actionstart', ''], ['actionstop', ''], ['actioncheck', ''], ['actionban', 'ports="$(echo \'1-65535\' | sed s/:/-/g)"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family=\'<family>\' source address=\'<ip>\' port port=\'$p\' protocol=\'tcp\' reject type=\'<rejecttype>\'"; done'], ['actionunban', 'ports="$(echo \'1-65535\' | sed s/:/-/g)"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family=\'<family>\' source address=\'<ip>\' port port=\'$p\' protocol=\'tcp\' reject type=\'<rejecttype>\'"; done'], ['name', 'wordpress'], ['actname', 'firewallcmd-rich-rules'], ['port', '1-65535'], ['protocol', 'tcp'], ['family', 'ipv4'], ['chain', 'INPUT_direct'], ['zone', 'public'], ['service', 'ssh'], ['rejecttype', 'icmp-port-unreachable'], ['blocktype', 'REJECT --reject-with <rejecttype>'], ['rich-blocktype', "reject type='<rejecttype>'"], ['family?family=inet6', 'ipv6'], ['rejecttype?family=inet6', 'icmp6-port-unreachable']]]
['start', 'wordpress']

2022-06-26 19:44:24,776 fail2ban.actions        [501990]: NOTICE  [wordpress] Ban 165.232.177.194
2022-06-26 19:44:24,847 fail2ban.utils          [501990]: ERROR   7ff7ae172030 -- exec: nft add table inet f2b-table
nft -- add chain inet f2b-table f2b-chain \{ type filter hook input priority -1 \; \}
nft add set inet f2b-table addr-set-wordpress \{ type ipv4_addr\; \}

nft add rule inet f2b-table f2b-chain meta l4proto \{ tcp \} ip saddr @addr-set-wordpress reject

2022-06-26 19:44:24,848 fail2ban.utils          [501990]: ERROR   7ff7ae172030 -- stderr: 'Error: Could not process rule: Numerical result out of range'
2022-06-26 19:44:24,848 fail2ban.utils          [501990]: ERROR   7ff7ae172030 -- stderr: 'add set inet f2b-table addr-set-wordpress { type ipv4_addr; }'
2022-06-26 19:44:24,848 fail2ban.utils          [501990]: ERROR   7ff7ae172030 -- stderr: '^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^'
2022-06-26 19:44:24,848 fail2ban.utils          [501990]: ERROR   7ff7ae172030 -- stderr: 'Error: No such file or directory'
2022-06-26 19:44:24,848 fail2ban.utils          [501990]: ERROR   7ff7ae172030 -- stderr: 'add rule inet f2b-table f2b-chain meta l4proto { tcp } ip saddr @addr-set-wordpress reject'
2022-06-26 19:44:24,848 fail2ban.utils          [501990]: ERROR   7ff7ae172030 -- stderr: '                                                                ^^^^^^^^^^^^^^^^^^^'
2022-06-26 19:44:24,848 fail2ban.utils          [501990]: ERROR   7ff7ae172030 -- returned 1
2022-06-26 19:44:24,848 fail2ban.actions        [501990]: ERROR   Failed to execute ban jail 'wordpress' action 'nftables-allports' info 'ActionInfo({'ip': '165.232.177.194', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7ff7aca6fe18>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7ff7aca70510>})': Error starting action Jail('wordpress')/nftables-allports: 'Script error'
2022-06-26 19:44:33,372 fail2ban.filter         [501990]: WARNING [wordpress] Simulate NOW in operation since found time has too large deviation 1656265398 ~ 1656265473.3721204 +/- 60

Table of Contents