Koozali.org: home of the SME Server

highly recommended: improve security with fail2ban contrib

Offline piran

  • ****
  • 502
  • +0/-0
Re: highly recommended: improve security with fail2ban contrib
« Reply #15 on: September 07, 2014, 08:35:43 PM »
>>Please do not put sheer guesswork answers here
It was only one and labelled as such... now crossed out.
Now all I have to do is wait for an installer that installs
and I can then put fail2ban to work.

Offline stephdl

  • *
  • 1,519
  • +0/-0
    • Linux et Geekeries
Re: highly recommended: improve security with fail2ban contrib
« Reply #16 on: September 07, 2014, 08:45:20 PM »
indeed piran you gave a command to interface directly with fail2ban. But Daniel has developed some DB command for managing fail2ban with the standard sme way.
The first interest is for example if you do a backup of the sme in order to restore it on a new server, you will have all settings (not the contrib) in your next sme.
See http://wiki.contribs.org/Koozali_Foundation
irc : Freenode #sme_server #sme-fr

!!! Please write your knowledge to the Wiki !!!

Offline piran

  • ****
  • 502
  • +0/-0
Re: highly recommended: improve security with fail2ban contrib
« Reply #17 on: September 07, 2014, 08:49:50 PM »
>>you will have all settings (not the contrib) in your next sme.
Most useful, thank you, as I have still to surmount the hurdle into v9.

Offline stephdl

  • *
  • 1,519
  • +0/-0
    • Linux et Geekeries
Re: highly recommended: improve security with fail2ban contrib
« Reply #18 on: September 07, 2014, 08:53:48 PM »
your bug is set confirmed, I have also the same behaviour

It seems that the package provided by epel has the same rule than the package of daniel...please be patient, we are all volunteers :)
« Last Edit: September 07, 2014, 08:56:51 PM by stephdl »
See http://wiki.contribs.org/Koozali_Foundation
irc : Freenode #sme_server #sme-fr

!!! Please write your knowledge to the Wiki !!!

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: highly recommended: improve security with fail2ban contrib
« Reply #19 on: September 07, 2014, 09:07:00 PM »
To All

Note that sme9 now blocks ssh logins after 3 incorrect attempts in 15 minutes, or as configured by a db entry.
See
http://wiki.contribs.org/AutoBlock

Great care should be taken by contrib developers to ensure that contrib functionality does not interfere with default sme server functionality.
Manipulating firewall rules should be done the "sme server way" to avoid weakening the very good & strong security of sme server.
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline hanscees

  • *
  • 267
  • +0/-0
    • nl.linkedin.com/in/hanscees/
Re: highly recommended: improve security with fail2ban contrib
« Reply #20 on: September 07, 2014, 09:40:47 PM »
To All

Note that sme9 now blocks ssh logins after 3 incorrect attempts in 15 minutes, or as configured by a db entry.
See
http://wiki.contribs.org/AutoBlock

Great care should be taken by contrib developers to ensure that contrib functionality does not interfere with default sme server functionality.
Manipulating firewall rules should be done the "sme server way" to avoid weakening the very good & strong security of sme server.

Autoblock is a great feature and sme server is a secure distribution, no doubt about it. The sme-server way for configuring with db entries is solid and good.

Having said this, fail2ban is an extended security feature that even improves on security. You should absolutely not take this as doubting the security of sme. It is just an added feature that has arisen somewhere in the open source community.

As for using the db feature for on-the-fly blocking of ip-addresses by fail2ban, this seems as ni improvement  to me. It makes something that works very well, and is very light, heavy and complex and needlessly difficult to maintain in my opinion. A server under heavy load with a severe portscan should not have to run a bunch of perlscripts to ban an ip address.

The iptables rulesof fail2ban insert themself in the beginning of the iptables input chain and work fine and fast without interfearing with any sme iptables rules. No need to worry as far as I can see.


nl.linkedin.com/in/hanscees/

Offline stephdl

  • *
  • 1,519
  • +0/-0
    • Linux et Geekeries
Re: highly recommended: improve security with fail2ban contrib
« Reply #21 on: September 07, 2014, 09:45:04 PM »
FYI
autoblock is disabled in sme8, but enabled by default in sme9, Thus Janet is right take time to disable it if you use fail2ban (it is my case)

You can enable it easily

# config setprop sshd AutoBlock
AutoBlock       AutoBlockTime   AutoBlockTries 
# config setprop sshd AutoBlock enabled      #or disabled
# signal-event remoteaccess-update
# config show sshd
sshd=service
    AutoBlock=enabled
    AutoBlockTime=900
    AutoBlockTries=4
    LoginGraceTime=600
    MaxAuthTries=2
    PasswordAuthentication=yes
    PermitRootLogin=yes
    Protocol=2
    TCPPort=22
    UsePAM=yes
    access=public
    status=enabled
See http://wiki.contribs.org/Koozali_Foundation
irc : Freenode #sme_server #sme-fr

!!! Please write your knowledge to the Wiki !!!

Offline piran

  • ****
  • 502
  • +0/-0
Re: highly recommended: improve security with fail2ban contrib
« Reply #22 on: September 08, 2014, 01:30:20 PM »
Thank you Daniel :: fail2ban now installed in my SME8.1 box.

Offline piran

  • ****
  • 502
  • +0/-0
Re: highly recommended: improve security with fail2ban contrib
« Reply #23 on: September 08, 2014, 02:22:28 PM »
I tried stopping then starting fail2ban after which there is an error:
Code: [Select]
Starting fail2ban: WARNING 'ignoreregex' not defined in 'Definition'. Using default one: ''Is there one or more of the given CONF files deficient or malformed?

PostEdit: Perhaps I should've set up templating first :: stopping/starting no longer shows this error.
« Last Edit: September 08, 2014, 02:49:33 PM by piran »

Offline smeghead

  • *
  • 557
  • +0/-0
Re: highly recommended: improve security with fail2ban contrib
« Reply #24 on: March 13, 2017, 04:25:39 PM »
Has anyone changed the MaxRetry setting?

I just dropped it to 2 from the default of 3 & the value seems to have taken effect BUT but email notice I get of each ban still shows 9 attempts against qpsmtpd instead of 6 (the value should be MaxRetry * 3).

Where would I look in the contrib to find this setting used in sending the email?  All the values in the conf files I look ata all look correct.  If I'm not missing anything obvious then I'll post a bug.

My jail.conf file shows a value of 2, the same as the config db:

[root@104 ~]# config show fail2ban
fail2ban=service
    BanTime=43200
    FindTime=43200
    Mail=enabled
    MaxRetry=2
    status=enabled
..................