3 RFEs in 1 bug i know that this is not the best way but i have no time and otherwise i would forget it :( Description of problem: A. unfortunately i am missing IPv6 support in fail2ban. i am no developer and thought this should be no great problem but i could not find a solution. where is the problem: fail2ban-regex, fail2ban-server or fail2ban-client ? probably here is someone with more knowledge and you could enhance fail2ban with IPv6 support before 2012-06-06. i tried it in this way: 1) no changes in filter.d/sshd.conf 2) copy action.d/iptables.conf --> action.d/ip6tables.conf and change iptables to ip6tables # grep ip6tables /etc/fail2ban/action.d/ip6tables.conf ## ip6tables test - copy from iptables.conf --> ip6tables.conf actionstart = ip6tables -N fail2ban-<name> ip6tables -A fail2ban-<name> -j RETURN ip6tables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name> actionstop = ip6tables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name> ip6tables -F fail2ban-<name> actioncheck = ip6tables -n -L INPUT | grep -q fail2ban-<name> actionban = ip6tables -I fail2ban-<name> 1 -s <ip> -j DROP actionunban = ip6tables -D fail2ban-<name> -s <ip> -j DROP 3) create a new section for ssh-ip6tables ---- jail.conf ---- ## test for ip6tables, no ipv6 is blocked ## ## ip6tables chain is created and deleted while starting and stopping fail2ban ## [ssh-ip6tables] enabled = true filter = sshd action = ip6tables[name=SSH, port=ssh, protocol=tcp] sendmail-whois[name=SSH, dest=root, sender=fail2ban] logpath = /var/log/secure maxretry = 5 #### ----/---- 4) restart fail2ban and check iptables / ip6tables, ok, looks good. e.g. # iptables-save # Generated by iptables-save v1.4.7 on Wed Mar 7 00:12:19 2012 *filter :INPUT ACCEPT [22:1971] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [11:1040] :fail2ban-SSH - [0:0] -A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH -A fail2ban-SSH -j RETURN COMMIT # Completed on Wed Mar 7 00:12:19 2012 # ip6tables-save # Generated by ip6tables-save v1.4.7 on Wed Mar 7 00:12:37 2012 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :fail2ban-SSH - [0:0] -A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH -A fail2ban-SSH -j RETURN COMMIT # Completed on Wed Mar 7 00:12:37 2012 Actual result: Unfortunately IPv4 is ok as aspected but for IPv6, no IPv6 address is blocked. Somewhere must be a test for regular IPv4 address and IPv6 is not getting through :( B. I could not find a action which includes and checks the list of blocklist.de http://www.blocklist.de/en/api.html - i assume that it could be possible with a fail2ban-action to check the own blocked IPs from the logfiles if this IP is listed in blocklist.de too. -- if no, than use the "bantime" -- if yes, than block this IP for a longer period of time, e.g. "blocktime" e.g. "89.140.99.27" (49.212.40.166, 88.80.64.20, 50.22.226.90, ...) - check via dns # host -t any 27.99.140.89.bl.blocklist.de 27.99.140.89.bl.blocklist.de descriptive text "Infected System (Service: ssh), see http://www.blocklist.de/en/view.html?ip=89.140.99.27" 27.99.140.89.bl.blocklist.de has address 127.0.0.14 - or with curl # curl -s https://api.blocklist.de/api.php?ip=89.140.99.27 attacks: 53<br />reports: 1<br /> -- fail2ban-action: block "89.140.99.27" permanent or longer as "bantime" e.g. "blocktime" C. autofwd evtl. a fail2ban alternative with IPv6 support autofwd has IPv6 support and could evtl. be an additional fail2ban alternative in fedora http://www.digitalmages.com/projects/autofwd/ http://freecode.com/projects/autofwd afair you need perl-ExtUtils-MakeMaker perl-BerkeleyDB perl-Socket6 afair you need additional perl modules from Arthur Corliss http://search.cpan.org/~corliss/Paranoid/lib/Paranoid.pm http://search.cpan.org/dist/Parse-PlainConfig/
Created attachment 568643 [details] fail2ban-ipv6.tar.bz2 http://thanatos.trollprod.org/sousites/fail2banv6/fail2ban-ipv6.tar.bz2 I found a working IPv6 patch for fail2ban. $ md5 fail2ban-ipv6.tar.bz2 MD5 (fail2ban-ipv6.tar.bz2) = 6196ed59f13380f5be5484271256068b downloaded 2012-03-08 http://www.fail2ban.org/wiki/index.php/Fail2ban:Community_Portal [...] IPv6 Experimental support This little patch allow fail2ban to parse and ban IPv6 ips. Instead of calling iptables, it call ip6tables or iptables depending of the ip presented. It works !, but don't use name resolution in the logs file. http://thanatos.trollprod.org/sousites/fail2banv6/fail2ban-ipv6.tar.bz2 2 short patches server/failregex.py server/filter.py 1 file fail2ban/action.d/iptable46-multiport.conf 1 script: checks for ipv4 - iptables or ipv6 - ip6tables eg. /usr/bin/ip64tables.sh now you can change jail.conf [ssh-iptables] action=iptable46-multiport [name=SSH...] you have to chmod the *.conf and *.sh
service fail2ban, ssh, /var log/messages, ip[6]tables-save # service fail2ban stop ---- messages ---- Mar 8 15:31:40 srv01 fail2ban.jail : INFO Jail 'ssh-iptables' stopped Mar 8 15:31:40 srv01 fail2ban.server : INFO Exiting Fail2ban # service fail2ban start ---- messages ---- Mar 8 15:32:45 srv01 fail2ban.server : INFO Changed logging target to SYSLOG for Fail2ban v0.8.4 Mar 8 15:32:45 srv01 fail2ban.jail : INFO Creating new jail 'ssh-iptables' Mar 8 15:32:45 srv01 fail2ban.jail : INFO Jail 'ssh-iptables' uses Gamin Mar 8 15:32:45 srv01 fail2ban.filter : INFO Added logfile = /var/log/secure Mar 8 15:32:45 srv01 fail2ban.filter : INFO Set maxRetry = 5 Mar 8 15:32:45 srv01 fail2ban.filter : INFO Set findtime = 600 Mar 8 15:32:45 srv01 fail2ban.actions: INFO Set banTime = 600 Mar 8 15:32:45 srv01 fail2ban.jail : INFO Jail 'ssh-iptables' started # iptables-save # Generated by iptables-save v1.4.7 on Thu Mar 8 15:33:37 2012 *filter :INPUT ACCEPT [77:8931] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [35:2675] :fail2ban-SSH - [0:0] -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-SSH -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-SSH -A fail2ban-SSH -j RETURN COMMIT # Completed on Thu Mar 8 15:33:37 2012 # ip6tables-save # Generated by ip6tables-save v1.4.7 on Thu Mar 8 15:35:22 2012 *filter :INPUT ACCEPT [2:128] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [2:120] :fail2ban-SSH - [0:0] -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-SSH -A fail2ban-SSH -j RETURN COMMIT # Completed on Thu Mar 8 15:35:22 2012 192.168.101.200$ ssh 192.168.101.2 (is blocked) ---- messages ---- Mar 8 15:36:01 srv01 <31>fail2ban.filter : DEBUG Found 192.168.101.200 Mar 8 15:36:38 srv01 <31>fail2ban.filter : DEBUG Found 192.168.101.200 Mar 8 15:36:38 srv01 <31>fail2ban.filter : DEBUG Found 192.168.101.200 Mar 8 15:36:42 srv01 <31>fail2ban.filter : DEBUG Found 192.168.101.200 Mar 8 15:36:42 srv01 <31>fail2ban.filter : DEBUG Found 192.168.101.200 Mar 8 15:36:42 srv01 <31>fail2ban.filter : DEBUG Found 192.168.101.200 Mar 8 15:36:42 srv01 <28>fail2ban.actions: WARNING [ssh-iptables] Ban 192.168.101.200 2001:db8:1::3$ ssh 2001:db8:1::2 (is blocked too) ---- messages ---- Mar 8 15:38:27 srv01 <31>fail2ban.filter : DEBUG Found 2001:db8:1::3 Mar 8 15:38:53 srv01 <31>fail2ban.filter : DEBUG Found 2001:db8:1::3 Mar 8 15:38:58 srv01 <31>fail2ban.filter : DEBUG Found 2001:db8:1::3 Mar 8 15:39:03 srv01 <31>fail2ban.filter : DEBUG Found 2001:db8:1::3 Mar 8 15:39:10 srv01 <31>fail2ban.filter : DEBUG Found 2001:db8:1::3 Mar 8 15:39:11 srv01 <28>fail2ban.actions: WARNING [ssh-iptables] Ban 2001:db8:1::3 # iptables-save # Generated by iptables-save v1.4.7 on Thu Mar 8 15:44:52 2012 *filter :INPUT ACCEPT [352:60071] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [127:11890] :fail2ban-SSH - [0:0] -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-SSH -A fail2ban-SSH -s 192.168.101.200/32 -j DROP -A fail2ban-SSH -j RETURN COMMIT # Completed on Thu Mar 8 15:44:52 2012 # ip6tables-save # Generated by ip6tables-save v1.4.7 on Thu Mar 8 15:45:01 2012 *filter :INPUT ACCEPT [31:4210] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [42:4447] :fail2ban-SSH - [0:0] -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-SSH -A fail2ban-SSH -s 2001:db8:1::3/128 -j DROP -A fail2ban-SSH -j RETURN COMMIT # Completed on Thu Mar 8 15:45:01 2012
RFE A: this was the main reason for filing this bug. i have patched my production servers, all are ok and are working now with IPv6 fail2ban as expected. if you could at least include the ipv6 patch in some way this RFE would be resolved. REF C: if you include the ipv6 patch my request for autofwd as working ipv6-alternative to fail2ban is obsolete, at least from my side. REF B: this would be a "nice to have" but for now IPv6 is in my opinion a "must have" before 2012-06-06 i will add some infos in the next comment. Other additional info for some handy time variables from ... ---- http://www.fail2ban.org/wiki/index.php/Fail2ban:Community_Portal ---- Handy time variable aliases I've (re-)discovered that one can use handy time aliases for bantime and findtime. ---- jail.conf ---- Here's how I defined them in my jail.conf: ## bantime of 3600 = 60*60 = one hour ## bantime of 86400 = 60*60*24 = one day ## bantime of 604800 = 60*60*24*7 = one week ## bantime of 2592000 = 60*60*24*30 = (approx) one month ## bantime of 31536000 = 60*60*24*365 = (approx) one year one_hour = 3600 one_day = 86400 one_week = 604800 one_month = 2592000 one_year = 31536000 ----/jail.conf ---- Use the aliases like this: ---- jail.conf ---- findtime = %(one_week)s bantime = %(one_week)s ----/jail.conf ---- Remember the trailing "s"! ----/----
REF B: some infos for developers who will evtl. look into fail2ban with blocklist.de support 1) evtl. action = blocklist[.conf] check the banned IPs (iptables or /var/log/messages) if the IPs are listet in blocklist.de dns and block it with a longer "bantime" or a new "blocklist_bantime" 2) evtl. direct blocklist.de support in fail2ban. - check the <HOST> IPs before banning - check the banned IPs later http://www.blocklist.de/en/export.html evtl. additional definitions in jail.conf ? eg. blocklist_use = yes|no blocklist_source = dns | url | file | all bloclist_destination = apache | asterisk | bots | ftp | imap | mail | ssh | all blocklist_bantime = <time in seconds | one_hour | one_day | one_month | one_year> for 1) --- eg. for banned IPs - iptables --- # iptables-save | grep DROP -A fail2ban-SSH -s 78.188.30.7/32 -j DROP -A fail2ban-SSH -s 89.140.99.27/32 -j DROP -A fail2ban-SSH -s 61.253.249.157/32 -j DROP -A fail2ban-SSH -s 59.60.7.111/32 -j DROP -A fail2ban-SSH -s 88.80.64.20/32 -j DROP --- eg. for banned ips for sshd in /var/log/messages --- # grep Ban /var/log/messages | awk -F' ' '{print $9 }' | sort 114.207.112.95 121.108.95.188 121.14.46.119 124.205.190.102 125.16.142.163 173.45.104.226 178.89.110.162 212.96.26.114 221.174.50.130 46.61.180.100 49.212.40.166 50.22.226.90 59.60.7.111 61.253.249.157 69.162.121.83 78.131.7.21 78.188.30.7 85.186.111.17 85.25.148.120 88.191.74.210 88.191.74.210 88.191.74.210 88.191.74.210 88.80.64.20 88.80.64.20 88.80.64.20 88.80.64.20 89.140.99.27 89.140.99.27 [...] 89.140.99.27 91.205.189.27 for 2) http://www.blocklist.de/en/api.html i got a short answer from a python-developer ---- is this a correct python snippet for IPv4 reverseDNS ? ---- ip = '89.140.99.27'.split('.') ip.reverse() ip = '.'.join(ip + ['bl.blocklist.de',]) ---- or ---- def rdnsblocklist(ip): ip = ip.split('.') ip.reverse() return '.'.join(ip + ['bl.blocklist.de',]) # to use as rdnsblocklist( '89.140.99.27') ----/python snippet ---- here some fail2ban files eg. ---- /usr/share/fail2ban/server/filter.py ---- ## # Ban an IP - http://blogs.buanzo.com.ar/2009/04/fail2ban-patch-ban-ip-address-manually.html # Arturo 'Buanzo' Busleiman <buanzo.ar> # # to enable banip fail2ban-client BAN command def addBannedIP(self, ip): unixTime = time.time() self.failManager.addFailure(FailTicket(ip, unixTime)) return ip ## # Add an IP/DNS to the ignore list. # # IP addresses in the ignore list are not taken into account # when finding failures. CIDR mask and DNS are also accepted. # @param ip IP address to ignore def addIgnoreIP(self, ip): logSys.debug("Add " + ip + " to ignore list") self.__ignoreIpList.append(ip) def delIgnoreIP(self, ip): logSys.debug("Remove " + ip + " from ignore list") self.__ignoreIpList.remove(ip) def getIgnoreIP(self): return self.__ignoreIpList ## # Check if IP address/DNS is in the ignore list. # # Check if the given IP address matches an IP address/DNS or a CIDR # mask in the ignore list. # @param ip IP address # @return True if IP address is in ignore list def inIgnoreIPList(self, ip): for i in self.__ignoreIpList: # An empty string is always false if i == "": continue s = i.split('/', 1) # IP address without CIDR mask if len(s) == 1: s.insert(1, '32') s[1] = long(s[1]) try: a = DNSUtils.cidr(s[0], s[1]) b = DNSUtils.cidr(ip, s[1]) except Exception: # Check if IP in DNS ips = DNSUtils.dnsToIp(i) if ip in ips: return True else: continue if a == b: return True return False ---- /usr/share/fail2ban/server/actions.py ---- ## # Set the ban time. # # @param value the time def setBanTime(self, value): self.__banManager.setBanTime(value) logSys.info("Set banTime = %s" % value) ## # Get the ban time. # # @return the time def getBanTime(self): return self.__banManager.getBanTime() [...] ## # Check for IP address to ban. # # Look in the Jail queue for FailTicket. If a ticket is available, # it executes the "ban" command and add a ticket to the BanManager. # @return True if an IP address get banned def __checkBan(self): ticket = self.jail.getFailTicket() if ticket != False: aInfo = dict() bTicket = BanManager.createBanTicket(ticket) aInfo["ip"] = bTicket.getIP() aInfo["failures"] = bTicket.getAttempt() aInfo["time"] = bTicket.getTime() if self.__banManager.addBanTicket(bTicket): logSys.warn("[%s] Ban %s" % (self.jail.getName(), aInfo["ip"])) for action in self.__actions: action.execActionBan(aInfo) return True else: logSys.warn("[%s] %s already banned" % (self.jail.getName(), aInfo["ip"])) return False [...] ---- /usr/share/fail2ban/server/server.py ---- # grep -i bantime /usr/share/fail2ban/server/server.py def setBanTime(self, name, value): self.__jails.getAction(name).setBanTime(value) def getBanTime(self, name): return self.__jails.getAction(name).getBanTime() # grep -i banip /usr/share/fail2ban/server/server.py def setBanIP(self, name, value): ---- /usr/share/fail2ban/server/transmitter.py ---- # grep -i bantime /usr/share/fail2ban/server/transmitter.py elif command[1] == "bantime": self.__server.setBanTime(name, int(value)) return self.__server.getBanTime(name) elif command[1] == "bantime": return self.__server.getBanTime(name) # grep -i banip /usr/share/fail2ban/server/transmitter.py elif command[1] == "banip": return self.__server.setBanIP(name,value) ----/----
The normal route for changes into Fedora is to submit them upstream to the project. Your patches look very good, but please do submit them upstream - www.fail2ban.org.
the patches are not from me :) IPv6 patches are from - thanspam - http://thanatos.trollprod.org/ fail2ban Author: Cyril Jaquier as CC cyril.jaquier , see below The few fail2ban bugs, requests, patches, ... since 2008 seems to be mostly open and assigned to nobody :( here are my 2 RFEs - sf.net fail2ban https://sourceforge.net/tracker/?func=detail&atid=689047&aid=3500617&group_id=121032 IPv6 support - a working patch is available - ID: 3500617 https://sourceforge.net/tracker/?func=detail&atid=689047&aid=3500630&group_id=121032 direct blocklist.de support as action or as definitions - ID: 3500630 -------- # grep -r Author /usr/share/fail2ban/ /usr/share/fail2ban/common/__init__.py:# Author: Cyril Jaquier /usr/share/fail2ban/common/version.py:# Author: Cyril Jaquier /usr/share/fail2ban/common/protocol.py:# Author: Cyril Jaquier /usr/share/fail2ban/common/helpers.py:# Author: Cyril Jaquier /usr/share/fail2ban/common/helpers.py:# Author: Arturo 'Buanzo' Busleiman /usr/share/fail2ban/common/helpers.py: """ Author: Arturo 'Buanzo' Busleiman """ Übereinstimmungen in Binärdatei /usr/share/fail2ban/common/helpers.pyo. Übereinstimmungen in Binärdatei /usr/share/fail2ban/common/helpers.pyc. /usr/share/fail2ban/client/filterreader.py:# Author: Cyril Jaquier /usr/share/fail2ban/client/__init__.py:# Author: Cyril Jaquier /usr/share/fail2ban/client/jailsreader.py:# Author: Cyril Jaquier /usr/share/fail2ban/client/configparserinc.py:# Author: Yaroslav Halchenko /usr/share/fail2ban/client/configurator.py:# Author: Cyril Jaquier /usr/share/fail2ban/client/configreader.py:# Author: Cyril Jaquier /usr/share/fail2ban/client/fail2banreader.py:# Author: Cyril Jaquier /usr/share/fail2ban/client/jailreader.py:# Author: Cyril Jaquier /usr/share/fail2ban/client/csocket.py:# Author: Cyril Jaquier /usr/share/fail2ban/client/beautifier.py:# Author: Cyril Jaquier /usr/share/fail2ban/client/actionreader.py:# Author: Cyril Jaquier /usr/share/fail2ban/server/asyncserver.py:# Author: Cyril Jaquier /usr/share/fail2ban/server/jailthread.py:# Author: Cyril Jaquier /usr/share/fail2ban/server/datedetector.py:# Author: Cyril Jaquier /usr/share/fail2ban/server/filter.py.orig:# Author: Cyril Jaquier /usr/share/fail2ban/server/__init__.py:# Author: Cyril Jaquier /usr/share/fail2ban/server/filterpoll.py:# Author: Cyril Jaquier /usr/share/fail2ban/server/mytime.py:# Author: Cyril Jaquier /usr/share/fail2ban/server/jails.py:# Author: Cyril Jaquier /usr/share/fail2ban/server/filter.py:# Author: Cyril Jaquier /usr/share/fail2ban/server/ticket.py:# Author: Cyril Jaquier /usr/share/fail2ban/server/banmanager.py:# Author: Cyril Jaquier /usr/share/fail2ban/server/server.py:# Author: Cyril Jaquier /usr/share/fail2ban/server/failmanager.py:# Author: Cyril Jaquier /usr/share/fail2ban/server/datetemplate.py:# Author: Cyril Jaquier /usr/share/fail2ban/server/jail.py:# Author: Cyril Jaquier /usr/share/fail2ban/server/failregex.py:# Author: Cyril Jaquier /usr/share/fail2ban/server/filtergamin.py:# Author: Cyril Jaquier /usr/share/fail2ban/server/action.py:# Author: Cyril Jaquier /usr/share/fail2ban/server/transmitter.py:# Author: Cyril Jaquier /usr/share/fail2ban/server/actions.py:# Author: Cyril Jaquier /usr/share/fail2ban/server/faildata.py:# Author: Cyril Jaquier /usr/share/fail2ban/fail2ban-0.8.4-py2.6.egg-info:Author: Cyril Jaquier /usr/share/fail2ban/fail2ban-0.8.4-py2.6.egg-info:Author-email: cyril.jaquier
Info about IPv6 and fail2ban blocklist.de support, here is a quote ---- blocklist.de ipv6 2012-03-13 ---- When you have patched Fail2ban and he can support ipv6, we can also list ipv6-Attackers, but not in the dns-rbl. The Database-Fieds an IP-Checks are IPv6 ready, but at the moment i never have seen an ipv6-attacker. Your blocklist.de-Team ----/----
Please file all RFEs with upstream. Thanks!