From Alpine Linux
Jump to: navigation, search
Underconstruction clock icon gray.svg
This material is work-in-progress ...

Do not follow instructions here until this notice is removed.
(Last edited by Jch on 25 Jun 2015.)

How to setup fail2ban on a log server to control a remote firewall

I want to follow auth.log on a syslog-ng server running in a LXC to update iptables on a separate firewall machine.

Installation is easy but it doesn't work (yet) as expected.
Even if it's working from the command line :(

The syslog-ng machine is called "cerberus".
The firewall is called "firewall".

First, cerberus has to be able to log without password on firewall with root credentials (to update the iptables rules). This is done with usual id_rsa private and public key (in /root/.ssh/authorized_keys on firewall).

Next is to add a wrapper script for iptables commands. I did it in /usr/local/bin/do with

logger -t do_firewall "$1"
ssh -l root -p22 -i /root/.ssh/id_rsa firewall "$1"

This wrapper was added in front of rules in /etc/fail2ban/action.d/iptables.conf like (to all rules)

actionstop = /usr/local/bin/do "iptables -D <chain> -p <protocol> --dport <port> -j f2b-<name>"
             /usr/local/bin/do "iptables -F f2b-<name>"
             /usr/local/bin/do "iptables -X f2b-<name>"

This is working as expected when manually invoked

cerberus:~# fail2ban-client start
cerberus:~# fail2ban-client set sshd banip

But nothing happens from the fail2ban daemon :(