Koozali.org: home of the SME Server

geoip & fail2ban

Offline ElFroggio

  • *
  • 262
  • +0/-0
geoip & fail2ban
« on: June 02, 2017, 03:57:52 AM »
SME 9.2

Is it possible to tie geoip with iptables/fail2ban. I have seen:

https://forums.contribs.org/index.php/topic,50465.msg253952.html#msg253952

1. It's in French and my French is very rusty. (I can speak but not technical)
2. I don't understand the "-m geoip --src-cc " where does it come from?

I've been under attack from china, korea and vietnam. It has slowed down, but I'd like to deal with it.

Any suggestion?

Thanks

Syv

Offline Jean-Philippe Pialasse

  • *
  • 2,746
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: geoip & fail2ban
« Reply #1 on: June 02, 2017, 06:14:36 AM »
I have started looking at geoip blocking with fail2ban, unfortunately the kernel and the way iptable is compiled under centos /red hat and so SME9 does not allow this

an alternative would have been to work also with /etc/hosts.deny (https://www.axllent.org/docs/view/ssh-geoip/) but again an internal command (aclexec) to allow this is not available with red hat.


a last solution would be to use xtables-addons and its kmod... I start looking at it and I stuck trying to compile it again SME9 for the moment.
so if you have the time and energy to work on compiling this, yes you could get geoip ban at iptables level....

Offline ElFroggio

  • *
  • 262
  • +0/-0
Re: geoip & fail2ban
« Reply #2 on: June 05, 2017, 03:48:59 AM »
so if you have the time and energy to work on compiling this, yes you could get geoip ban at iptables level....

I'm sorry, but I'm afraid that it's beyond my skills level

Thanks/Merci

Syv

Offline mab974

  • *
  • 84
  • +1/-0
Re: geoip & fail2ban
« Reply #3 on: September 12, 2017, 07:48:02 PM »
I have compiled xtables-addons for testing here
https://repos.misouk.com/Sme_Server/6/x86_64/xtables-addons-1.47.1-1.el6.x86_64.rpm.
yum install must have "enablerepo=epel"  option for dependencies.

Some explanations for setup here
https://www.howtoforge.com/xtables-addons-on-centos-6-and-iptables-geoip-filtering

i am working on a contrib now. Any suggestion would be appreciate.

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: geoip & fail2ban
« Reply #4 on: September 13, 2017, 03:42:57 PM »
i am working on a contrib now. Any suggestion would be appreciate.

It depends where you are stuck :-)

Let us know and we can try and help.

B. Rgds
John
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Jean-Philippe Pialasse

  • *
  • 2,746
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: geoip & fail2ban
« Reply #5 on: September 14, 2017, 12:14:22 AM »
mab974,

thank you for the good work!

Suggestion for a contribs, you could first work on templates and db entry for most useful settings
in second time you could work on a panel to help to change those settings.


I see you have a few contribs there : https://repos.misouk.com/Sme_Server/6/SRPMS

would you like to have access to our buildsystem to import them ?
As a start I see you were able to update geneweb that I was not able to do in a reasonable time before giving up.
Having them in the buildsys would help other to get access to this great work and also help others to help you. Including translation of panels or fixing a small issue.

Offline mab974

  • *
  • 84
  • +1/-0
Re: geoip & fail2ban
« Reply #6 on: September 14, 2017, 06:15:58 PM »
Hi,
It's a particuliar contrib wich depends on kernel version.
new kernel --> new packet
https://repos.misouk.com/Sme_Server/6/x86_64/xtables-addons-1.47.1-2.el6.x86_64.rpm

Suggestion for a contribs, you could first work on templates and db entry for most useful settings
in second time you could work on a panel to help to change those settings.
i am working on templates and db entry for xt_geoip, for the other addons i don't know if there's NFR for them.
For the second point, i thought panel use was no more considered as a good solution for the future.

I see you have a few contribs there : https://repos.misouk.com/Sme_Server/6/SRPMS

would you like to have access to our buildsystem to import them ?
why not ? for some of them which may be interesting. But for sure i need some help for the beginning, in a better place than here too.

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: geoip & fail2ban
« Reply #7 on: September 14, 2017, 06:27:40 PM »
can't access your repo, err NET::ERR_CERT_REVOKED

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: geoip & fail2ban
« Reply #8 on: September 14, 2017, 07:36:09 PM »
can't access your repo, err NET::ERR_CERT_REVOKED

Can get it on my phone from here ?
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: geoip & fail2ban
« Reply #9 on: September 14, 2017, 07:48:32 PM »
chrome 61 on linux mint says that the certificate was revoked..

no problem using firefox.....

Offline mab974

  • *
  • 84
  • +1/-0
Re: geoip & fail2ban
« Reply #10 on: September 14, 2017, 08:01:00 PM »
Problem with chrome
Quote
Chrome 61 distrusts ALL certificates signed by StartSSL and WoSign

from https://webmasters.stackexchange.com/questions/103405/startssl-certificate-gives-sec-error-revoked-certificate-in-firefox-and-err-cert

mine is an old one but  evil.... evil....  :-)

Offline Jean-Philippe Pialasse

  • *
  • 2,746
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: geoip & fail2ban
« Reply #11 on: September 14, 2017, 08:50:49 PM »
Hi,
It's a particuliar contrib wich depends on kernel version.
new kernel --> new packet
https://repos.misouk.com/Sme_Server/6/x86_64/xtables-addons-1.47.1-2.el6.x86_64.rpm
ideally it would be to compile the rpm in two : one main and one kmod with soft dependency, so you only need to recompile it on major change of the kernel.

i am working on templates and db entry for xt_geoip, for the other addons i don't know if there's NFR for them.

great

For the second point, i thought panel use was no more considered as a good solution for the future.

no their still are needed, just that for SME10 we aim to make the manager better.

why not ? for some of them which may be interesting. But for sure i need some help for the beginning, in a better place than here too.

some exchange can be made on IRC, hangouts or another IM.

Offline mab974

  • *
  • 84
  • +1/-0
Re: geoip & fail2ban
« Reply #12 on: September 22, 2017, 04:12:09 PM »
Hi,

A contrib named xt_geoip is available for testing at
https://repos.misouk.com/Sme_Server/6/noarch/smeserver-xt_geoip-1.0.1-01.el6.noarch.rpm

xt_geoip for Xtables-addons module geoip specifically which permits to filter traffic (on IP) based on the country it comes from.

This contrib needs xtables-addons of course, avalaible at
https://repos.misouk.com/Sme_Server/6/x86_64/xtables-addons-1.47.1-2.el6.x86_64.rpm
as seen above.

xt_geoip appears in the server manager in the Administration part. English et french versions are available for now.

Its panel permits to
  • enable/disable filtering
  • enter country codes
  • force base update

The GeoIP base is periodically updated.

Installation:

yum install xtables-addons --enablerepo=epel (locally for now)
yum install smeserver-xt_geoip (locally for now)
then
signal-event post-upgrade; signal-event reboot

Updating the xt_geoip database is performed by issuing the following command:
signal-event xt_geoip-update


Offline SchulzStefan

  • *
  • 620
  • +0/-0
Re: geoip & fail2ban
« Reply #13 on: October 02, 2017, 02:29:01 PM »
For letsencrypt port 80 and 443 have to be open. There's no webcontent on my servers. What I see in the logs are a lot of attempts from IP's searching for wordpress, admin. passwords, curl, wget, and so on.

I'm thinking about using

Quote
Its panel permits to

    enable/disable filtering
    enter country codes
    force base update


this, to ban "dirty" IP's. Does this make sense, and will it work?

Regards,
stefan
And then one day you find ten years have got behind you.

Time, 1973
(Mason, Waters, Wright, Gilmour)

Offline mab974

  • *
  • 84
  • +1/-0
Re: geoip & fail2ban
« Reply #14 on: October 02, 2017, 05:44:30 PM »
It works in the simplest way possible (for now).
Xt_geoip blocks ALL IP connections based on the country of their origin.

If you think that troublesome connections come mainly from some countries, this can be interesting, keeping in mind that the "good IPs" of these countries are also blocked.
So you have to verify that any IP that must connect to your server is not in a banned country.

For sure, this is not a precise tool but for the filtering rules, adaptations are possible at the template level.

I modified a little the contrib. In particular I separated xtables-addons in two rpms as suggested Jean-Philippe.

Here are the last versions that run on two of my servers for a few weeks :

regards,
Michel