User:Jch/fail2ban

From Alpine Linux
Revision as of 09:28, 25 June 2015 by Jch (talk | contribs) (How to setup fail2ban on a log server to control a remote firewall)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
This material is work-in-progress ...

Do not follow instructions here until this notice is removed.
(Last edited by Jch on 25 Jun 2015.)

How to setup fail2ban on a log server to control a remote firewall

I want to follow auth.log on a syslog-ng server running in a LXC to update iptables on a separate firewall machine.

Installation is easy but it doesn't work (yet) as expected.
Even if it's working from the command line :(

The syslog-ng machine is called "cerberus".
The firewall is called "firewall".

First, cerberus has to be able to log without password on firewall with root credentials (to update the iptables rules). This is done with usual id_rsa private and public key (in /root/.ssh/authorized_keys on firewall).

Next is to add a wrapper script for iptables commands. I did it in /usr/local/bin/do with

#!/bin/sh
logger -t do_firewall "$1"
ssh -l root -p22 -i /root/.ssh/id_rsa firewall "$1"

This wrapper was added in front of rules in /etc/fail2ban/action.d/iptables.conf like (to all rules)

actionstop = /usr/local/bin/do "iptables -D <chain> -p <protocol> --dport <port> -j f2b-<name>"
             /usr/local/bin/do "iptables -F f2b-<name>"
             /usr/local/bin/do "iptables -X f2b-<name>"

This is working as expected when manually invoked

cerberus:~# fail2ban-client start
cerberus:~# fail2ban-client set sshd banip 4.34.47.232

But nothing happens from the fail2ban daemon :(