5

EDIT: added additional .conf filer and slightly changed wording as suggested by Marco


I'm running Fail2ban v0.10 which is supposed to support IPv6.

I've set up Fail2ban with nftables according to these instructions, with the exception that I used the 'inet' family for nftables instead of the ip family because I'd like to allow IPv6 traffic to my server.

The server is reachable over IPv6 and my firewall (nftables) seems to be configured correctly as far as I can see (the table inet filter).

However the 'table inet fail2ban' is why I'm making this post, it seems to me Fail2ban only reads the IPv4 logs, and blocks offending IPv4 hosts.

Am I reading this right? If so does anyone know how I can make Fail2ban work with IPv6 traffic as well? I know the Fail2ban v0.10 changelog states that not all ban-actions are IPv6 capable yet, but I can't seem to find a list.

A link to where I could finde the info is welcome as well, because I couldn't seem to finde that myself.

I've only included the recidive jail configs because I assume that if I can get jail to work with IPv6, I can do the same with the others, if I'm mistaken with that assumption please do tell me :)


My nftables ruleset:

table inet filter {
    chain input {
        type filter hook input priority 0; policy accept;
        ct state { related, established} accept
        ct state invalid drop
        iifname "lo" accept
        ip protocol icmp accept
        ip6 nexthdr ipv6-icmp accept
        tcp dport ssh accept
        tcp dport http accept
        tcp dport https accept
        limit rate 5/minute burst 5 packets counter packets 972 bytes 56710 log prefix " denied: " level debug
        drop
    }

    chain forward {
        type filter hook forward priority 0; policy accept;
        drop
    }

    chain output {
        type filter hook output priority 0; policy accept;
        accept
    }
}

table inet fail2ban {
    set f2b-sshd {
        type ipv4_addr
    }

    set f2b-nginx-botsearch {
        type ipv4_addr
    }

    set f2b-recidive {
        type ipv4_addr
    }

    chain INPUT {
        type filter hook input priority 100; policy accept;
        ip protocol hopopt-reserved ip saddr @f2b-recidive drop
        tcp dport { http, https} ip saddr @f2b-nginx-botsearch drop
        tcp dport { ssh} ip saddr @f2b-sshd drop
    }
}

/etc/nftables/fail2ban.conf

#!/usr/sbin/nft -f

table inet fail2ban {
        chain INPUT {
                type filter hook input priority 100;
        }
}

/etc/nftables.conf

#!/usr/bin/nft -f

table inet filter {
  chain input {
    type filter hook input priority 0;

    ct state {established, related} accept

    ct state invalid drop

    iifname lo accept

    ip protocol icmp accept
    ip6 nexthdr icmpv6 accept

    tcp dport ssh accept

    tcp dport http accept
    tcp dport https accept

    limit rate 5/minute burst 5 packets counter packets 0 bytes 0 log prefix " denied: " level debug

    drop
  }
  chain forward {
    type filter hook forward priority 0;
    drop
  }
  chain output {
    type filter hook output priority 0;
    accept
  }

}

include "/etc/nftables/fail2ban.conf"

/etc/fail2ban/action.d/nftables-common.local

[Init]
nftables_family = inet
nftables_table  = fail2ban

blocktype       = drop

nftables_set_prefix =

/etc/fail2ban/jail.local

[INCLUDES]

before = paths-arch.conf

[DEFAULT]

ignorecommand =

bantime  = 1h

findtime  = 10m

maxretry = 5

usedns = warn

logencoding = auto

enabled = false

filter = %(__name__)s

protocol = tcp

chain = INPUT

port = 0:65535

fail2ban_agent = Fail2Ban/%(fail2ban_version)s

banaction = nftables-multiport
banaction_allports = nftables-allports

action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
            %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
                %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]

action_blocklist_de  = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]

action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]

action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]

action_abuseipdb = abuseipdb

action = %(action_)s


[sshd]
enabled = true
mode    = normal
filter  = sshd[mode=%(mode)s]
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s


[nginx-botsearch]
enabled  = true
port     = http,https
logpath  = %(nginx_error_log)s
maxretry = 2

[recidive]
enabled = true
logpath  = /var/log/fail2ban.log
banaction = %(banaction_allports)s
bantime  = 1w
findtime = 1d
maxretry  = 3
protocol  = 0-255

/etc/fail2ban/filter.d/recidive.conf

[INCLUDES]

before = common.conf

[Definition]

_daemon = fail2ban\.actions\s*

_jailname = recidive

failregex = ^(%(__prefix_line)s| %(_daemon)s%(__pid_re)s?:\s+)NOTICE\s+\[(?!%(_jailname)s\])(?:.*)\]\s+Ban\s+<HOST>\s*$

ignoreregex =

[Init]

journalmatch = _SYSTEMD_UNIT=fail2ban.service PRIORITY=5

/etc/fail2ban/filter.d/common.conf

[DEFAULT]

_daemon = \S*

__pid_re = (?:\[\d+\])

__daemon_re = [\[\(]?%(_daemon)s(?:\(\S+\))?[\]\)]?:?

__daemon_extra_re = \[ID \d+ \S+\]

__daemon_combs_re = (?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:?)

__kernel_prefix = kernel: \[ *\d+\.\d+\]

__hostname = \S+

__md5hex = (?:[\da-f]{2}:){15}[\da-f]{2}

__bsd_syslog_verbose = <[^.]+\.[^.]+>

__vserver = @vserver_\S+

__date_ambit = (?:\[\])

__prefix_line = %(__date_ambit)s?\s*(?:%(__bsd_syslog_verbose)s\s+)?(?:%(__hostname)s\s+)?(?:%(__kernel_prefix)s\s+)?(?:%(__vserver)s\s+)$

__pam_auth = pam_unix

datepattern = {^LN-BEG}
Didier
  • 53
  • 1
  • 7
  • "it seems to me Fail2ban only listens to and blocks IPv4 traffic" Fail2ban does two things, it reads the logs and it adds firewall rules in order to block offending hosts. It's not expected to listen on anything, read the documentation please. ;) – Marco Sep 11 '17 at 18:46
  • Okay sure it reads the logs. Then let me rephrase: "it seems to me Fail2ban only reads the IPv4 logs, and blocks offending IPv4 hosts". So ... How can I make it read the IPv6 logs (if it doesn't already)? – Didier Sep 11 '17 at 19:07
  • Well, edit your question Sir, please. Phrasing is very important as this isn't all about your issue and someone wbo'll help you to fix it. Q&As are for the community and people use to find it searching for words who makes phrases. If you write in here that fail2ban "listens on IPv4" you'll get a comment if you're lucky. Most of the users would start firing downvotes instead of explanations because reading your question it really looks like that you didn't to read the fail2ban documentation before posting. – Marco Sep 11 '17 at 19:26
  • And coming to your issue: you should tell in your question how your services logs are configured, how fail2ban jails are configured and what actions have you set in fail2ban.conf in order for it to react. When you'll have all this clear, you'd probably answer your question by yourself. And you may get upvotes too, as this question of fail2ban with IPv6 is actually unique in the StackExchange network. – Marco Sep 11 '17 at 19:33
  • 1
    Hi Marco, thanks for the suggestions and apologies for the late reply. I've added conf files and reworded a little as you suggested, thanks – Didier Sep 16 '17 at 13:55

1 Answers1

2

This might have been this bug, fixed in v0.10.1

danblack
  • 1,179
  • 10
  • 14