This material is work-in-progress ...
Do not follow instructions here until this notice is removed.
How to setup fail2ban on a log server to control a remote firewall
I want to follow auth.log on a syslog-ng server running in a LXC to update iptables on a separate firewall machine.
Installation is easy but it doesn't work (yet) as expected.
Even if it's working from the command line :(
The syslog-ng machine is called "cerberus".
The firewall is called "firewall".
First, cerberus has to be able to log without password on firewall with root credentials (to update the iptables rules). This is done with usual id_rsa private and public key (in /root/.ssh/authorized_keys on firewall).
Next is to add a wrapper script for iptables commands. I did it in /usr/local/bin/do with
#!/bin/sh logger -t do_firewall "$1" ssh -l root -p22 -i /root/.ssh/id_rsa firewall "$1"
This wrapper was added in front of rules in /etc/fail2ban/action.d/iptables.conf like (to all rules)
actionstop = /usr/local/bin/do "iptables -D <chain> -p <protocol> --dport <port> -j f2b-<name>" /usr/local/bin/do "iptables -F f2b-<name>" /usr/local/bin/do "iptables -X f2b-<name>"
This is working as expected when manually invoked
cerberus:~# fail2ban-client start cerberus:~# fail2ban-client set sshd banip 220.127.116.11
But nothing happens from the fail2ban daemon :(