firewall & pinguin: iptables where do thou go?

it is said that when using “ip-sets” iptables and nftables achieve almost same performance (amounts of ips possible to block, without server becoming slow/unresponsive)

Redhat and nftables on DDoS “so the only thing to fall back to is establishing a blacklist for all the different source IP addresses” (src) (which is exactly what iptables + cron + autoban.sh a simple bash script does)

the #3rd concept: bpfilter

2018-02: “The Linux kernel currently supports two separate network packet-filtering mechanisms: iptables and nftables.
For the last few years, it has been generally assumed that nftables would eventually replace the older iptables implementation;
few people expected that the kernel developers would, instead, add a third packet filter.
But that would appear to be what is happening with the newly announced bpfilter mechanism.
Bpfilter may eventually replace both iptables and nftables, but there are a lot of questions that will need to be answered first.” (src: https://lwn.net/Articles/747551/)
even faster X-D https://cilium.io/blog/2018/04/17/why-is-the-kernel-community-replacing-iptables/

and: will already established iptables scripts keep on working?

We like iptables after all, this tool has been serving us (and will likely keep serving still for a while in many deployments) to filter out traffic on both per-packet and per-flow basis, log suspicious traffic activity, perform NAT and many other things.

It comes with more than a hundred of extensions that have been contributed along the last 15 years!.

Nevertheless, the iptables framework suffers from limitations that cannot be easily worked around:

  • Avoid code duplication and inconsistencies:
    • Many of the iptables extensions are protocol specific
    • so there is no a consolidated way to match packet fields
    • instead there is one extension for each protocol that it supports
    • this bloats the codebase with very similar code to perform a similar task: payload matching
  • Faster packet classification through enhanced generic set and map infrastructure
  • Simplified dual stack IPv4/IPv6 administration, through the new inet family that allows you to register base chains that see both IPv4 and IPv6 traffic
  • Better dynamic ruleset updates support
  • Provide a Netlink API for third party applications, just as other Linux Networking and Netfilter subsystem do
  • Address syntax inconsistencies and provide nicer and more compact syntax (aha aha X-D)

These, among other things not listed here, triggered the nftables development which was originally presented to the Netfilter community in the 6th Netfilter Workshop in Paris (2008, France).” (src: wiki.nftables.org)

if fail2ban fails to ban, when nftables is used to emulate iptables

it’s not entirely nftables’ fault, fail2ban would need to support it, so if you do not need to block more than 50-100.000 IPs and have a reasonable fast server… it should not slow down with iptables.

CentOS7 uninstall nftables install iptables – what to expect for Debian 11

https://dwaves.de/2017/07/27/centos7-replaced-firewall-iptables-with-firewalld-iptables-vs-nftables-benchmark-performance-comparison-scalability-when-facing-ddos-scenarios/

list all jails

fail2ban-client status
Status
|- Number of jail:	1
`- Jail list:	sshd

get status:

/scripts/fail2ban_status.sh

echo "===== fail2ban status ====="
JAILS=`fail2ban-client status | grep "Jail list" | sed -E 's/^[^:]+:[ \t]+//' | sed 's/,//g'`
for JAIL in $JAILS
do
  fail2ban-client status $JAIL
done

fail2ban-client status sshd

fail2ban-client status

systemctl status fail2ban

echo "===== iptables status ====="
iptables -S|grep "REJECT"

echo "===== showing all available filters ====="
ll /etc/fail2ban/filter.d/

journalctl -b -u fail2ban

echo "===== fail2ban log ====="
tail /var/log/fail2ban.log

unban this ip:

unban:

/scripts/fail2ban_unban.sh 123.123.123.123

 
#!/bin/bash

echo "====== unbanning:" $1

JAILS=`fail2ban-client status | grep "Jail list" | sed -E 's/^[^:]+:[ \t]+//' | sed 's/,//g'`
for JAIL in $JAILS
do
  fail2ban-client set $JAIL unbanip $1;
done

manually ban an ip:

/scripts/fail2ban_ban.sh 123.123.123.123

#!/bin/bash

echo "====== banning:" $1

JAILS=`fail2ban-client status | grep "Jail list" | sed -E 's/^[^:]+:[ \t]+//' | sed 's/,//g'`
for JAIL in $JAILS
do
  fail2ban-client set $JAIL banip $1;
done

automatically ban by sshd logging to /var/log/secure

think fail2ban is to soft on hosts that try to brute force your password?

run this via hourly cron X-D

this is a small script one put together, which will filter out all “Invalid user” and “preauth” from /var/log/secure and ban the ips associated.

#!/bin/bash
# this script will take ssh messages logged to /var/log/secure
# extract two kinds of ips:
# 1) "Invalid user"
# 2) "preauth"
# and block them via fail2ban

# reduce to 
# filter out "Invalid user" and "preauth" and save it to new file
NEWFILE="/var/log/secure_invalid_preauth.log"

cat /var/log/secure | grep -e "Invalid user" -e "preauth" > $NEWFILE

# extract ips
octet='\<(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]?)\>'
ip="$octet\\.$octet\\.$octet\\.$octet"

# also remove duplicates
# save to new file log2
grep -Eo "$ip" $NEWFILE | paste - | uniq > $NEWFILE"2"

# iterate over every line of a file and 
while read line; do
  echo "this was a very bad host, we will ban it now:"
  echo "$line"
  fail2ban-client set sshd banip $line;
done <$NEWFILE"2"
echo "done"

 

how often was jail enforced?

fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed:	1
|  |- Total failed:	1779
|  `- Journal matches:	_SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned:	1
   |- Total banned:	347
   `- Banned IP list:	212.129.140.74

what ip got banned most?

awk '($(NF-1) = /Ban/){print $NF}' /var/log/fail2ban.log | sort | uniq -c | sort -n
      1 125.163.71.XXX
      1 37.75.213.XXX
      1 80.199.0.XXX
      2 151.236.200.XXX
      2 190.85.234.XXX
      4 188.75.155.XXX
      4 190.223.32.XXX
      4 200.105.154.XXX
      6 191.209.9.XXX
     11 78.250.49.XXX
     34 176.223.165.XXX
    133 104.236.146.XXX
    174 103.72.162.XXX
    184 54.37.196.XXX

what subnets got banned most?

zgrep -h "Ban " /var/log/fail2ban.log* | awk '{print $NF}' | awk -F\. '{print $1"."$2"."}' | sort | uniq -c | sort -n | tail

# those subnets got banned most (higher number = more bans)
17 200.105.
21 210.92.
23 27.255.
34 176.223.
93 45.125.
140 104.236.
175 103.72.
184 54.37.
226 200.111.
1190 181.214.

# this e.g. is an ip from malaysia that exceeded fail2ban rules for exim a lot
whois 103.72.162.186
# show ips of the most banned subnet 181.214.
grep -r -i -E --color=auto "181.214." /var/log/fail2ban*;

… i whoised 3 and all were in fail2ban jail for exim-iptables, all were US located and attempts to use this server for spam?

address: 60007 – Chicago – IL
country: US

Links:

https://www.the-art-of-web.com/system/fail2ban-log/

Links:

credits: https://gist.github.com/kamermans/1076290

liked this article?

  • only together we can create a truly free world
  • plz support dwaves to keep it up & running!
  • (yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
  • really really hate advertisement
  • contribute: whenever a solution was found, blog about it for others to find!
  • talk about, recommend & link to this blog and articles
  • thanks to all who contribute!
admin