0

I make few similar jails for different ports...

jail names: http_https_deny, dns_deny, ftp_deny, smtp_pop3_deny, ssh_deny

here firewalld and fail2ban settings for http_https_deny(other almost same, just different ports):

LOG_TAG1=HTTP-DENY_
LOG_TAG2=HTTPS-DENY_
F2B_NAME=http_https_deny

sudo firewall-cmd --zone=public --add-rich-rule="rule family=ipv4 port port=80 protocol=tcp log prefix=${LOG_TAG1} drop" --permanent
sudo firewall-cmd --zone=public --add-rich-rule="rule family=ipv4 port port=80 protocol=udp log prefix=${LOG_TAG1} drop" --permanent
sudo firewall-cmd --zone=public --add-rich-rule="rule family=ipv4 port port=443 protocol=tcp log prefix=${LOG_TAG2} drop" --permanent
sudo firewall-cmd --zone=public --add-rich-rule="rule family=ipv4 port port=443 protocol=udp log prefix=${LOG_TAG2} drop" --permanent

cat << EOF | sudo tee -a /etc/fail2ban/filter.d/${F2B_NAME}.conf
[Definition]
failregex = (${LOG_TAG1}|${LOG_TAG2}).* SRC=<HOST>
journalmatch = _TRANSPORT=kernel
EOF

cat << EOF | sudo tee -a /etc/fail2ban/action.d/${F2B_NAME}.conf
[INCLUDES]
before = 
[Definition]
actionstart = 
actionstop = 
actioncheck = 
actionban = firewall-cmd --zone=drop --add-source=<ip>
actionunban = firewall-cmd --zone=drop --remove-source=<ip>
EOF

cat << EOF | sudo tee -a /etc/fail2ban/jail.d/${F2B_NAME}.conf
[${F2B_NAME}]
enabled = true
filter = ${F2B_NAME}
banaction = ${F2B_NAME}
bantime = 48h
findtime = 10m
maxretry = 1

when somebody scan multiple ports, firewall-cmd adds to system log entries with prefixes HTTP-DENY_, FTP-DENY_, SSH-DENY_ and etc... and then fail2ban filters finds this records in log and ban logged IP (as we see later same IP will be banned several times)

all works almost fine, but...

during unban process we can see that fail2ban trying to unban IP multiple times, which leads to errors in the log...

2023-02-07 22:16:01,155 fail2ban.actions        [882]: NOTICE  [http_https_deny] Unban 138.199.42.209
2023-02-07 22:16:02,158 fail2ban.actions        [882]: NOTICE  [dns_deny] Unban 138.199.42.209
2023-02-07 22:16:02,237 fail2ban.actions        [882]: NOTICE  [ftp_deny] Unban 138.199.42.209
2023-02-07 22:16:02,326 fail2ban.actions        [882]: NOTICE  [smtp_pop3_deny] Unban 138.199.42.209
2023-02-07 22:16:02,426 fail2ban.actions        [882]: NOTICE  [ssh_deny] Unban 138.199.42.209

# trying to unban 'dns_deny'
2023-02-07 22:16:02,552 fail2ban.utils          [882]: ERROR   7f240e174168 -- exec: firewall-cmd --zone=drop --remove-source=138.199.42.209
2023-02-07 22:16:02,553 fail2ban.utils          [882]: ERROR   7f240e174168 -- stderr: "Error: UNKNOWN_SOURCE: '138.199.42.209' is not in any zone"
2023-02-07 22:16:02,553 fail2ban.utils          [882]: ERROR   7f240e174168 -- returned 30
2023-02-07 22:16:02,553 fail2ban.actions        [882]: ERROR   Failed to execute unban jail 'dns_deny' action 'dns_deny' info 'ActionInfo({'ip': '138.199.42.209', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7f240e1939d8>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7f240e1940d0>})': Error unbanning 138.199.42.209

# trying to unban 'ftp_deny'
2023-02-07 22:16:02,935 fail2ban.utils          [882]: ERROR   7f240e1741d0 -- exec: firewall-cmd --zone=drop --remove-source=138.199.42.209
2023-02-07 22:16:02,935 fail2ban.utils          [882]: ERROR   7f240e1741d0 -- stderr: "Error: UNKNOWN_SOURCE: '138.199.42.209' is not in any zone"
2023-02-07 22:16:02,935 fail2ban.utils          [882]: ERROR   7f240e1741d0 -- returned 30
2023-02-07 22:16:02,936 fail2ban.actions        [882]: ERROR   Failed to execute unban jail 'ftp_deny' action 'ftp_deny' info 'ActionInfo({'ip': '138.199.42.209', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7f240e1939d8>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7f240e1940d0>})': Error unbanning 138.199.42.209

# trying to unban 'smtp_pop3_deny'
2023-02-07 22:16:03,335 fail2ban.utils          [882]: ERROR   7f2411fbb238 -- exec: firewall-cmd --zone=drop --remove-source=138.199.42.209
2023-02-07 22:16:03,335 fail2ban.utils          [882]: ERROR   7f2411fbb238 -- stderr: "Error: UNKNOWN_SOURCE: '138.199.42.209' is not in any zone"
2023-02-07 22:16:03,336 fail2ban.utils          [882]: ERROR   7f2411fbb238 -- returned 30
2023-02-07 22:16:03,336 fail2ban.actions        [882]: ERROR   Failed to execute unban jail 'smtp_pop3_deny' action 'smtp_pop3_deny' info 'ActionInfo({'ip': '138.199.42.209', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7f240e1939d8>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7f240e1940d0>})': Error unbanning 138.199.42.209

# trying to unban 'ssh_deny'
2023-02-07 22:16:03,719 fail2ban.utils          [882]: ERROR   7f2411fbb1d0 -- exec: firewall-cmd --zone=drop --remove-source=138.199.42.209
2023-02-07 22:16:03,720 fail2ban.utils          [882]: ERROR   7f2411fbb1d0 -- stderr: "Error: UNKNOWN_SOURCE: '138.199.42.209' is not in any zone"
2023-02-07 22:16:03,720 fail2ban.utils          [882]: ERROR   7f2411fbb1d0 -- returned 30
2023-02-07 22:16:03,720 fail2ban.actions        [882]: ERROR   Failed to execute unban jail 'ssh_deny' action 'ssh_deny' info 'ActionInfo({'ip': '138.199.42.209', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7f240e1939d8>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7f240e1940d0>})': Error unbanning 138.199.42.209

how to fix this?

is it possible to check if IP already banned before "actionban"?

p.s.

please see also related question: https://unix.stackexchange.com/questions/734413/fail2ban-and-firewalld-and-drop-zone-strange-behavior-with-rich-rule-add-sour

it_buddha
  • 1
  • 3

2 Answers2

2

Apart from log noise, there's nothing to fix. Functionally the objective is being achieved. However I would be concerned that an unban operation was applied to any occurrence of the IP address rather than the IP and port which the ban relates to. Further I would be concerned about using an embedded/inline ban/unban command like you are using rather than a template based system. Part of the issues arising from this are illustrated in your post : the unban command from your config generator is not the unban command shown in your logs.

I suggest having a look at how fail2ban is configured out of the box on Ubuntu/Debian, apply what you've learnt by replacing all your current rules.

symcbean
  • 21,009
  • 1
  • 31
  • 52
  • thanks for answer "the unban command from your config generator is not the unban command shown in your logs" I fix the first post, now command correct (see explanation here: https://unix.stackexchange.com/questions/734413/fail2ban-and-firewalld-and-drop-zone-strange-behavior-with-rich-rule-add-sour) – it_buddha Feb 08 '23 at 08:49
0

I agree with the comment above that it's better to use the templates and model your config off the examples to avoid strange errors.

But in case it's relevant, someone else had a similar-looking issue when they were also using csf: fail2ban: unban behavior when two jails ban the same IP?

The solution was to set the ban-action to csf for it to handle.

Another option I've seen to catch port scans is to log attempts on well-known ports that you haven't opened, such as 23, 389, 445, whatever, and simply do a drop-all first.

LeeM
  • 1,388
  • 9
  • 14
  • thanks for answer, I'm learning how to make custom filter/action/jails and of course I have seen some fail2ban examples – it_buddha Feb 08 '23 at 08:58