Contribs.org

Please login or register.

Login with username, password and session length

News:

We need you! Please help us to make SME Server a better product. More info here

Pages: [1]   Go Down

Author Topic: geoip & fail2ban  (Read 694 times)

ElFroggio

  • Wiki & Docs Team
  • *
  • Offline Offline
  • Posts: 262
geoip & fail2ban
« on: June 02, 2017, 03:57:52 AM »

SME 9.2

Is it possible to tie geoip with iptables/fail2ban. I have seen:

https://forums.contribs.org/index.php/topic,50465.msg253952.html#msg253952

1. It's in French and my French is very rusty. (I can speak but not technical)
2. I don't understand the "-m geoip --src-cc " where does it come from?

I've been under attack from china, korea and vietnam. It has slowed down, but I'd like to deal with it.

Any suggestion?

Thanks

Syv
Logged

Jean-Philippe Pialasse

  • Site Administrator
  • *
  • Offline Offline
  • Posts: 882
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: geoip & fail2ban
« Reply #1 on: June 02, 2017, 06:14:36 AM »

I have started looking at geoip blocking with fail2ban, unfortunately the kernel and the way iptable is compiled under centos /red hat and so SME9 does not allow this

an alternative would have been to work also with /etc/hosts.deny (https://www.axllent.org/docs/view/ssh-geoip/) but again an internal command (aclexec) to allow this is not available with red hat.


a last solution would be to use xtables-addons and its kmod... I start looking at it and I stuck trying to compile it again SME9 for the moment.
so if you have the time and energy to work on compiling this, yes you could get geoip ban at iptables level....
Logged

ElFroggio

  • Wiki & Docs Team
  • *
  • Offline Offline
  • Posts: 262
Re: geoip & fail2ban
« Reply #2 on: June 05, 2017, 03:48:59 AM »

so if you have the time and energy to work on compiling this, yes you could get geoip ban at iptables level....

I'm sorry, but I'm afraid that it's beyond my skills level

Thanks/Merci

Syv
Logged

mab974

  • Bronze Supporter
  • *
  • Offline Offline
  • Posts: 31
Re: geoip & fail2ban
« Reply #3 on: September 12, 2017, 07:48:02 PM »

I have compiled xtables-addons for testing here
https://repos.misouk.com/Sme_Server/6/x86_64/xtables-addons-1.47.1-1.el6.x86_64.rpm.
yum install must have "enablerepo=epel"  option for dependencies.

Some explanations for setup here
https://www.howtoforge.com/xtables-addons-on-centos-6-and-iptables-geoip-filtering

i am working on a contrib now. Any suggestion would be appreciate.
Logged

ReetP

  • Wiki & Docs Team
  • *
  • Offline Offline
  • Posts: 1,015
Re: geoip & fail2ban
« Reply #4 on: September 13, 2017, 03:42:57 PM »

i am working on a contrib now. Any suggestion would be appreciate.

It depends where you are stuck :-)

Let us know and we can try and help.

B. Rgds
John
Logged
...
Bugs are easier than you think :
http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in
http://wiki.contribs.org/Koozali_Foundation

Jean-Philippe Pialasse

  • Site Administrator
  • *
  • Offline Offline
  • Posts: 882
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: geoip & fail2ban
« Reply #5 on: September 14, 2017, 12:14:22 AM »

mab974,

thank you for the good work!

Suggestion for a contribs, you could first work on templates and db entry for most useful settings
in second time you could work on a panel to help to change those settings.


I see you have a few contribs there : https://repos.misouk.com/Sme_Server/6/SRPMS

would you like to have access to our buildsystem to import them ?
As a start I see you were able to update geneweb that I was not able to do in a reasonable time before giving up.
Having them in the buildsys would help other to get access to this great work and also help others to help you. Including translation of panels or fixing a small issue.
Logged

mab974

  • Bronze Supporter
  • *
  • Offline Offline
  • Posts: 31
Re: geoip & fail2ban
« Reply #6 on: September 14, 2017, 06:15:58 PM »

Hi,
It's a particuliar contrib wich depends on kernel version.
new kernel --> new packet
https://repos.misouk.com/Sme_Server/6/x86_64/xtables-addons-1.47.1-2.el6.x86_64.rpm

Suggestion for a contribs, you could first work on templates and db entry for most useful settings
in second time you could work on a panel to help to change those settings.
i am working on templates and db entry for xt_geoip, for the other addons i don't know if there's NFR for them.
For the second point, i thought panel use was no more considered as a good solution for the future.

I see you have a few contribs there : https://repos.misouk.com/Sme_Server/6/SRPMS

would you like to have access to our buildsystem to import them ?
why not ? for some of them which may be interesting. But for sure i need some help for the beginning, in a better place than here too.
Logged

Stefano

  • Site Administrator
  • *
  • Offline Offline
  • Posts: 10,589
  • Skype account: maghissimo
    • Smeserver italian community
Re: geoip & fail2ban
« Reply #7 on: September 14, 2017, 06:27:40 PM »

can't access your repo, err NET::ERR_CERT_REVOKED
Logged
Consulente di Smeserver.it -  Soluzioni e supporto su Sme server in Italia

ReetP

  • Wiki & Docs Team
  • *
  • Offline Offline
  • Posts: 1,015
Re: geoip & fail2ban
« Reply #8 on: September 14, 2017, 07:36:09 PM »

can't access your repo, err NET::ERR_CERT_REVOKED

Can get it on my phone from here ?
Logged
...
Bugs are easier than you think :
http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in
http://wiki.contribs.org/Koozali_Foundation

Stefano

  • Site Administrator
  • *
  • Offline Offline
  • Posts: 10,589
  • Skype account: maghissimo
    • Smeserver italian community
Re: geoip & fail2ban
« Reply #9 on: September 14, 2017, 07:48:32 PM »

chrome 61 on linux mint says that the certificate was revoked..

no problem using firefox.....
Logged
Consulente di Smeserver.it -  Soluzioni e supporto su Sme server in Italia

mab974

  • Bronze Supporter
  • *
  • Offline Offline
  • Posts: 31
Re: geoip & fail2ban
« Reply #10 on: September 14, 2017, 08:01:00 PM »

Problem with chrome
Quote
Chrome 61 distrusts ALL certificates signed by StartSSL and WoSign

from https://webmasters.stackexchange.com/questions/103405/startssl-certificate-gives-sec-error-revoked-certificate-in-firefox-and-err-cert

mine is an old one but  evil.... evil....  :-)
Logged

Jean-Philippe Pialasse

  • Site Administrator
  • *
  • Offline Offline
  • Posts: 882
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: geoip & fail2ban
« Reply #11 on: September 14, 2017, 08:50:49 PM »

Hi,
It's a particuliar contrib wich depends on kernel version.
new kernel --> new packet
https://repos.misouk.com/Sme_Server/6/x86_64/xtables-addons-1.47.1-2.el6.x86_64.rpm
ideally it would be to compile the rpm in two : one main and one kmod with soft dependency, so you only need to recompile it on major change of the kernel.

i am working on templates and db entry for xt_geoip, for the other addons i don't know if there's NFR for them.

great

For the second point, i thought panel use was no more considered as a good solution for the future.

no their still are needed, just that for SME10 we aim to make the manager better.

why not ? for some of them which may be interesting. But for sure i need some help for the beginning, in a better place than here too.

some exchange can be made on IRC, hangouts or another IM.
Logged

mab974

  • Bronze Supporter
  • *
  • Offline Offline
  • Posts: 31
Re: geoip & fail2ban
« Reply #12 on: September 22, 2017, 04:12:09 PM »

Hi,

A contrib named xt_geoip is available for testing at
https://repos.misouk.com/Sme_Server/6/noarch/smeserver-xt_geoip-1.0.1-01.el6.noarch.rpm

xt_geoip for Xtables-addons module geoip specifically which permits to filter traffic (on IP) based on the country it comes from.

This contrib needs xtables-addons of course, avalaible at
https://repos.misouk.com/Sme_Server/6/x86_64/xtables-addons-1.47.1-2.el6.x86_64.rpm
as seen above.

xt_geoip appears in the server manager in the Administration part. English et french versions are available for now.

Its panel permits to
  • enable/disable filtering
  • enter country codes
  • force base update

The GeoIP base is periodically updated.

Installation:

yum install xtables-addons --enablerepo=epel (locally for now)
yum install smeserver-xt_geoip (locally for now)
then
signal-event post-upgrade; signal-event reboot

Updating the xt_geoip database is performed by issuing the following command:
signal-event xt_geoip-update

Logged

SchulzStefan

  • Silver Supporter
  • *
  • Offline Offline
  • Posts: 537
Re: geoip & fail2ban
« Reply #13 on: October 02, 2017, 02:29:01 PM »

For letsencrypt port 80 and 443 have to be open. There's no webcontent on my servers. What I see in the logs are a lot of attempts from IP's searching for wordpress, admin. passwords, curl, wget, and so on.

I'm thinking about using

Quote
Its panel permits to

    enable/disable filtering
    enter country codes
    force base update


this, to ban "dirty" IP's. Does this make sense, and will it work?

Regards,
stefan
Logged
And then one day you find ten years have got behind you.

Time, 1973
(Mason, Waters, Wright, Gilmour)

mab974

  • Bronze Supporter
  • *
  • Offline Offline
  • Posts: 31
Re: geoip & fail2ban
« Reply #14 on: October 02, 2017, 05:44:30 PM »

It works in the simplest way possible (for now).
Xt_geoip blocks ALL IP connections based on the country of their origin.

If you think that troublesome connections come mainly from some countries, this can be interesting, keeping in mind that the "good IPs" of these countries are also blocked.
So you have to verify that any IP that must connect to your server is not in a banned country.

For sure, this is not a precise tool but for the filtering rules, adaptations are possible at the template level.

I modified a little the contrib. In particular I separated xtables-addons in two rpms as suggested Jean-Philippe.

Here are the last versions that run on two of my servers for a few weeks :

regards,
Michel
Logged
Pages: [1]   Go Up
 

Page created in 0.047 seconds with 26 queries.