https://wiki.alpinelinux.org/w/index.php?action=history&feed=atom&title=User%3AJch%2Ffail2banUser:Jch/fail2ban - Revision history2026-05-05T16:50:40ZRevision history for this page on the wikiMediaWiki 1.40.0https://wiki.alpinelinux.org/w/index.php?title=User:Jch/fail2ban&diff=11022&oldid=prevJch: How to setup fail2ban on a log server to control a remote firewall2015-06-25T09:28:20Z<p>How to setup fail2ban on a log server to control a remote firewall</p>
<p><b>New page</b></p><div>{{draft}}<br />
<br />
= How to setup fail2ban on a log server to control a remote firewall =<br />
<br />
I want to follow auth.log on a syslog-ng server running in a LXC to update iptables on a separate firewall machine.<br />
<br />
Installation is easy but it doesn't work (yet) as expected.<br/><br />
Even if it's working from the command line :(<br />
<br />
The syslog-ng machine is called "cerberus".<br/><br />
The firewall is called "firewall".<br />
<br />
First, cerberus has to be able to log without password on firewall with root credentials (to update the iptables rules). This is done with usual id_rsa private and public key (in /root/.ssh/authorized_keys on firewall).<br />
<br />
Next is to add a wrapper script for iptables commands. I did it in /usr/local/bin/do with <pre><br />
#!/bin/sh<br />
logger -t do_firewall "$1"<br />
ssh -l root -p22 -i /root/.ssh/id_rsa firewall "$1"<br />
</pre><br />
<br />
This wrapper was added in front of rules in /etc/fail2ban/action.d/iptables.conf like (to all rules) <pre><br />
actionstop = /usr/local/bin/do "iptables -D <chain> -p <protocol> --dport <port> -j f2b-<name>"<br />
/usr/local/bin/do "iptables -F f2b-<name>"<br />
/usr/local/bin/do "iptables -X f2b-<name>"<br />
</pre><br />
<br />
This is working as expected when manually invoked<br />
<pre><br />
cerberus:~# fail2ban-client start<br />
cerberus:~# fail2ban-client set sshd banip 4.34.47.232<br />
</pre><br />
<br />
But nothing happens from the fail2ban daemon :(</div>Jch