*New 11.4 series Release:
2020-07-03: XigmaNAS 11.4.0.4.7633 - released!

*New 12.1 series Release:
2020-04-17: XigmaNAS 12.1.0.4.7542 - released


We really need "Your" help on XigmaNAS https://translations.launchpad.net/xigmanas translations. Please help today!

Producing and hosting XigmaNAS costs money. Please consider donating for our project so that we can continue to offer you the best.
We need your support! eg: PAYPAL

fail2ban?

Post/Debate your Suggestions & Requests of XigmaNAS here. This ONLY pertains to XigmaNAS.
Forum rules
Set-Up GuideFAQsForum Rules
Post Reply
User avatar
MikeMac
Forum Moderator
Forum Moderator
Posts: 444
Joined: 07 Oct 2012 23:12
Location: Moscow, Russia
Contact:
Status: Offline

fail2ban?

#1

Post by MikeMac »

I hope, fail2ban could be nice addition to nas4free host for any password protected WAN connection.

Yes, one is installable into jail, but not so easy to say a little...

User avatar
alexey123
Moderator
Moderator
Posts: 1560
Joined: 19 Aug 2012 08:22
Location: Israel, Karmiel
Contact:
Status: Offline

Re: fail2ban?

#2

Post by alexey123 »

+1
Home12.1.0.4 - Ingva (revision 7091)/ x64-embedded on AMD A8-7600 Radeon R7 A88XM-PLUS/ 16G RAM / UPS Ippon Back Power Pro 600
Lab 12.1.0.4 - Ingva (revision 7091) /x64-embedded on Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz / H61M-DS2 / 4G RAM / UPS Ippon Back Power Pro 600

User avatar
ernie
Forum Moderator
Forum Moderator
Posts: 1452
Joined: 26 Aug 2012 19:09
Location: France - Val d'Oise
Status: Offline

Re: fail2ban?

#3

Post by ernie »

+1
NAS 1&2:
System: GA-6LXGH(BIOS: R01 04/30/2014) / 16 Go ECC
XigmaNAS 12.1.0.4 - Ingva (revision 7542) embedded
NAS1: Xeon E3 1241@3.5GHz, 4HDD@2To/raidz2 (WD red), 3HDD@300Go/sas/raidz1 (Hitachi), 1SSD cache, Zlog on sas mirror
NAS2: G3220@3GHz, 3HDD@2To/raidz1 (Seagate), 1SSD cache, 1HDD@300Go/UFS
UPS: APC Back-UPS RS 900G
Case : Fractal Design XL R2

Extensions & services:
NAS1: OBI (Plex, BTSync, zrep, rclone, themes), nfs, UPS,
NAS2: OBI (zrep (backup mode), themes)

User avatar
alexey123
Moderator
Moderator
Posts: 1560
Joined: 19 Aug 2012 08:22
Location: Israel, Karmiel
Contact:
Status: Offline

Re: fail2ban?

#4

Post by alexey123 »

We have python, so we can simple use fail2ban.
I test it as is, without gui
Step by step nano howto:
Login as root to server and choice real fail2ban folder
In my case this filder called /mnt/tank1/app/fail2ban. Jump to it.

Code: Select all

cd /mnt/tank1/app/fail2ban
Then search package fail2ban for have properly name

Code: Select all

pkg search fail2ban
Ansver is
py27-fail2ban-0.9.3 Scans log files and bans IP that makes too many password failures
Fetch it

Code: Select all

pkg fetch -o temp py27-fail2ban-0.9.3
And extract

Code: Select all

cd temp/All
tar -xf py27-fail2ban-0.9.3.txz
cd /mnt/tank1/app/fail2ban
cp -R temp/All/* .
rm -rf temp
Now need add files to system. For do this task after each reboot , create startup script

Code: Select all

#!/bin/sh
#start procedure
####################################
#Edit Path in first
EXTENSIONPATH="/mnt/YOUR/PATH/TO/fail2ban"
#ENDOFEDIT
##########################################
#Link /usr/local/bin files
cd /usr/local/bin
for file in ${EXTENSIONPATH}/usr/local/bin/*
	do
		ln -s "$file" "${file##*/}"
	done
# Link /usr/local/etc
cd /usr/local/etc
ln -s ${EXTENSIONPATH}/usr/local/etc/fail2ban /usr/local/etc/
ln -s  ${EXTENSIONPATH}/usr/local/etc/rc.d/fail2ban /usr/local/etc/rc.d/fail2ban
# link /mnt/tank1/app/fail2ban/usr/local/lib/python2.7/site-packages
cd /usr/local/lib/python2.7/site-packages
for file in ${EXTENSIONPATH}/usr/local/lib/python2.7/site-packages/*
	do
		ln -s "$file" "${file##*/}"
	done
echo 'fail2ban_enable="YES"' >> /etc/rc.conf
mkdir /var/run/fail2ban && chmod 777 /var/run/fail2ban
mkdir /var/db/fail2ban && chmod 777 /var/db/fail2ban
mkdir /var/lib/fail2ban && chmod 777 /var/lib/fail2ban
/usr/local/etc/rc.d/fail2ban start
Save this script as /mnt/YOUR/PATH/TO/fail2ban/fail2ban_start.sh and add it as postinit script over webgui

Then reboot.

Fail2ban config files placed in folder /mnt/YOUR/PATH/TO/fail2ban/usr/local/etc/fail2ban. We can edit its as need

As for me work.
Home12.1.0.4 - Ingva (revision 7091)/ x64-embedded on AMD A8-7600 Radeon R7 A88XM-PLUS/ 16G RAM / UPS Ippon Back Power Pro 600
Lab 12.1.0.4 - Ingva (revision 7091) /x64-embedded on Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz / H61M-DS2 / 4G RAM / UPS Ippon Back Power Pro 600

User avatar
MikeMac
Forum Moderator
Forum Moderator
Posts: 444
Joined: 07 Oct 2012 23:12
Location: Moscow, Russia
Contact:
Status: Offline

Re: fail2ban?

#5

Post by MikeMac »

Bravo, maestro!

I will try on my system.

User avatar
alexey123
Moderator
Moderator
Posts: 1560
Joined: 19 Aug 2012 08:22
Location: Israel, Karmiel
Contact:
Status: Offline

Re: fail2ban?

#6

Post by alexey123 »

I continue attach fail2ban
In first, I inspect logfile and find: fail2ban cry about database. At freshports page http://www.freshports.org/security/py-fail2ban I find runtime dependencies
py27-sqlite3>0 : databases/py-sqlite3
py27-setuptools27>0 : devel/py-setuptools27
OK. Add its

Code: Select all

cd /mnt/tank1/app/fail2ban
pkg update
pkg fetch -o temp databases/py-sqlite3 devel/py-setuptools27
cd temp/All
tar -xf py27-sqlite3*
tar -xf py27-setuptools*
cd /mnt/tank1/app/fail2ban
cp -R temp/All/* .
rm -rf temp
Then I modify startup script

Code: Select all

#!/bin/sh
#start procedure
####################################
#Edit Path in first
EXTENSIONPATH="/mnt/tank1/app/fail2ban"
#ENDOFEDIT
##########################################
#Link /usr/local/bin files
cd /usr/local/bin
for file in ${EXTENSIONPATH}/usr/local/bin/*
	do
		ln -s "$file" "${file##*/}"
	done
# Link /usr/local/etc
cd /usr/local/etc
ln -s ${EXTENSIONPATH}/usr/local/etc/fail2ban /usr/local/etc/
ln -s  ${EXTENSIONPATH}/usr/local/etc/rc.d/fail2ban /usr/local/etc/rc.d/fail2ban
# link /mnt/tank1/app/fail2ban/usr/local/lib/python2.7/site-packages
cd /usr/local/lib/python2.7/site-packages
for file in ${EXTENSIONPATH}/usr/local/lib/python2.7/site-packages/*
	do
		ln -s "$file" "${file##*/}"
	done
cd /usr/local/lib/python2.7/lib-dynload
for file in ${EXTENSIONPATH}/usr/local/lib/python2.7/lib-dynload/*
	do
		ln -s "$file" "${file##*/}"
	done
rconf service enable fail2ban
mkdir /var/run/fail2ban
mkdir /var/db/fail2ban
mkdir -p /var/lib/fail2ban
#######  There is place for replace system files
#
#
#
service fail2ban start
I don't understand why, but command

Code: Select all

service fail2ban status
say : fail2ban is not running.
realy I can stop and start it. I see proccess, I see log socket and pidfile, I see database => I think must work

Continue
Check firewall - it must be enabled.

Code: Select all

 ipfw show
WOW!!! I not enable any rule, just check checkbox :o WHERE IT FROM ??
00100 1958 173210 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
00400 0 0 deny ip from any to ::1
00500 0 0 deny ip from ::1 to any
00600 29 2496 allow ipv6-icmp from :: to ff02::/16
00700 0 0 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 215 16144 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 0 0 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 0 0 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
01100 0 0 allow ip from 10.0.0.0/24 to 255.255.255.255
01200 2692 6162714 allow ip from me to 10.0.0.0/24
01300 3314 505315 allow ip from 10.0.0.0/24 to me

01400 21517 6888989 allow tcp from any to any established
01500 0 0 allow ip from any to any frag
01600 49 2940 allow tcp from me to any setup
01700 46 6122 allow udp from me to any dst-port 53 keep-state
01800 75 5700 allow udp from me to any dst-port 123 keep-state
65535 4766 534796 allow ip from any to any
Rules, marked by red colour make impossible check fail2ban from lan, because fail2ban denies have low priority.
OK, I flush all
ipfw flush
and

Code: Select all

ipfw show
65535 5983 685904 allow ip from any to any
This is good condition for test
Home12.1.0.4 - Ingva (revision 7091)/ x64-embedded on AMD A8-7600 Radeon R7 A88XM-PLUS/ 16G RAM / UPS Ippon Back Power Pro 600
Lab 12.1.0.4 - Ingva (revision 7091) /x64-embedded on Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz / H61M-DS2 / 4G RAM / UPS Ippon Back Power Pro 600

User avatar
alexey123
Moderator
Moderator
Posts: 1560
Joined: 19 Aug 2012 08:22
Location: Israel, Karmiel
Contact:
Status: Offline

Re: fail2ban?

#7

Post by alexey123 »

Configure fail2ban jails
SSH
This is no good idea allow access from internet to main NAS4Free ssh
but for experiment I do it
PROBLEMS:
1.NAS4Free have sshd logfile as circular log, and fail2ban cannot read it.
2. Syslog configured for compact messages some as "last message repeated 7 times." This is also prevent to work
For solve this problems we replace original /etc/rc.d/syslogd file
BACKUP

Code: Select all

cp /etc/rc.d/syslogd /mnt/tank1/app/fail2ban/
then edit copy. Find section and add red symbols
# Check if syslog'ing to remote syslog server is disabled
if ! configxml_isset //syslogd/remote/enable; then
syslogd_flags="-8 -ss -cc"
command_args="-f ${syslogd_config}"
fi

syslogd_mkconf()
{
echo "local3.* %${clog_logdir}/var/log/sshd.log
Then over our startup script replace original file

Code: Select all

rsync --delete-before  ${EXTENSIONPATH}/syslogd /etc/rc.d/syslogd
rm /var/log/sshd.log
touch /var/log/sshd.log
/etc/rc.d/syslogd restart
Also for correct view need repair /usr/local/www/diag_log.inc

Code: Select all

cp /usr/local/www/diag_log.inc /mnt/tank1/app/fail2ban/
Find sshd section and replace ibto backuped file
"desc" => gettext("SSH"),
"logfile" => "{$clogdir}/sshd.log",
"filename" => "sshd.log",
"type" => "clog""plain",
"size" => "32768",
Script for replace

Code: Select all

rsync --delete-before  ${EXTENSIONPATH}/diag_log.inc /usr/local/www/diag_log.inc
Now create ${EXTENSIONPATH}/tc/fail2ban/jail.local file wuth content

Code: Select all

[ssh-ipfw]
enabled  = true
filter   = sshd
action   = ipfw[name=SSH, port=ssh, protocol=tcp]
logpath  = /var/log/sshd.log
maxretry = 5
Then edit action.d/ipfw.conf
# Option: localhost
# Notes.: the local IP address of the network interface
# Values: IP
#
localhost = HERE MUST BE NAS4Free LAN IP
Startup script

Code: Select all

#!/bin/sh
#start procedure
####################################
#Edit Path in first
EXTENSIONPATH="/mnt/tank1/app/fail2ban"
#ENDOFEDIT
##########################################
#Link /usr/local/bin files
cd /usr/local/bin
for file in ${EXTENSIONPATH}/usr/local/bin/*
   do
      ln -s "$file" "${file##*/}"
   done
# Link /usr/local/etc
cd /usr/local/etc
ln -s ${EXTENSIONPATH}/usr/local/etc/fail2ban /usr/local/etc/
ln -s  ${EXTENSIONPATH}/usr/local/etc/rc.d/fail2ban /usr/local/etc/rc.d/fail2ban
# link /mnt/tank1/app/fail2ban/usr/local/lib/python2.7/site-packages
cd /usr/local/lib/python2.7/site-packages
for file in ${EXTENSIONPATH}/usr/local/lib/python2.7/site-packages/*
   do
      ln -s "$file" "${file##*/}"
   done
cd /usr/local/lib/python2.7/lib-dynload
for file in ${EXTENSIONPATH}/usr/local/lib/python2.7/lib-dynload/*
   do
      ln -s "$file" "${file##*/}"
   done
rconf service enable fail2ban
mkdir /var/run/fail2ban
mkdir /var/db/fail2ban
mkdir -p /var/lib/fail2ban
#######  There is place for replace system files
#
rsync --delete-before  ${EXTENSIONPATH}/syslogd /etc/rc.d/syslogd
rm /var/log/sshd.log
touch /var/log/sshd.log
/etc/rc.d/syslogd restart
rsync --delete-before  ${EXTENSIONPATH}/diag_log.inc /usr/local/www/diag_log.inc
#
service fail2ban start
Restart fail2ban and check how it work
Home12.1.0.4 - Ingva (revision 7091)/ x64-embedded on AMD A8-7600 Radeon R7 A88XM-PLUS/ 16G RAM / UPS Ippon Back Power Pro 600
Lab 12.1.0.4 - Ingva (revision 7091) /x64-embedded on Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz / H61M-DS2 / 4G RAM / UPS Ippon Back Power Pro 600

User avatar
alexey123
Moderator
Moderator
Posts: 1560
Joined: 19 Aug 2012 08:22
Location: Israel, Karmiel
Contact:
Status: Offline

Re: fail2ban?

#8

Post by alexey123 »

Now builtin webse4rver.
It have troubled with logging/ At file /etc/rc.d/websrv we have line

Code: Select all

server.errorlog-use-syslog = "enable"
Need use another setting, for example

Code: Select all

server.errorlog = "/var/log/webserver.log"
For replace line, some as above copy file to fail2ban folder

Code: Select all

cp /etc/ec.d/websrv /mnt/tank1/app/fail2ban/
then edit backuped file
"mod_redirect",
"mod_alias"
)
server.errorlog-use-syslog = "enable" server.errorlog = "/var/log/webserver.log"
# debugmode debug.log-request-handling enable/disable
debug.log-request-handling = "disable"
:!: May be developers add checkbox for webserver config page :?:

Add to startip script

Code: Select all

rsync --delete-before  ${EXTENSIONPATH}/websrv /etc/ec.d/websrv
/etc/ec.d/websrv restart
Now create webserver jail. I use 80 port for my webserver, then I wrote port=http

Code: Select all

[webserv-auth]
enabled  = true
filter   = lighttpd-auth
action   = ipfw[name=WWW, port=http, protocol=tcp]
logpath = /var/log/webserver.log
maxretry = 5
Flush firewall rules ( if need), restart fail2ban and check how it work
Home12.1.0.4 - Ingva (revision 7091)/ x64-embedded on AMD A8-7600 Radeon R7 A88XM-PLUS/ 16G RAM / UPS Ippon Back Power Pro 600
Lab 12.1.0.4 - Ingva (revision 7091) /x64-embedded on Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz / H61M-DS2 / 4G RAM / UPS Ippon Back Power Pro 600

User avatar
alexey123
Moderator
Moderator
Posts: 1560
Joined: 19 Aug 2012 08:22
Location: Israel, Karmiel
Contact:
Status: Offline

Re: fail2ban?

#9

Post by alexey123 »

Install script. WITHOUT GUI now

Work from revision 2235 because fail2ban use uncompressed syslog messages

Image

https://github.com/alexey1234/fail2ban- ... ree/master

Connect over ssh to NAS4Free server

fetch script

Code: Select all

fetch https://raw.githubusercontent.com/alexey1234/fail2ban-nas4free/master/install.sh
Run it

Code: Select all

sh install.sh /mnt/PATH/TO/APPLICATIONS/FOLDER
Also work another way:

Code: Select all

cd /mnt/tank/dataset_for_applications

Code: Select all

fetch https://raw.githubusercontent.com/alexey1234/fail2ban-nas4free/master/install.sh
sh install.sh
Script will create fail2ban folder itself
When script download all, you just add fail2ban_start.sh as postinit command
You do not have the required permissions to view the files attached to this post.
Home12.1.0.4 - Ingva (revision 7091)/ x64-embedded on AMD A8-7600 Radeon R7 A88XM-PLUS/ 16G RAM / UPS Ippon Back Power Pro 600
Lab 12.1.0.4 - Ingva (revision 7091) /x64-embedded on Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz / H61M-DS2 / 4G RAM / UPS Ippon Back Power Pro 600

poetl
NewUser
NewUser
Posts: 4
Joined: 22 Nov 2015 12:43
Status: Offline

Re: fail2ban?

#10

Post by poetl »

Hi alexei123,
it seems that I got s.th wrong, because the fail2ban folder did not create itself and now several files are distributed w/o a proper parent directory.
Do you have any advice? Is there a deinstall script as well?

Thank you in advance,
poetl

bewoco
Starter
Starter
Posts: 28
Joined: 23 Apr 2015 14:26
Location: Germany
Status: Offline

Re: fail2ban?

#11

Post by bewoco »

Hallo Alexey,

I have downloaded your fail2ban install script, ran it, so far so good. The fail2ban dir is populated like this:
fail2banDir.JPG
But running the script fail2ban_start.sh (manually) results in the following messages:
Fail.JPG
and the webserver stops.
services.JPG
The Firewall is enabled and the log compression is disabled.
Any suggestions?

bewoco
You do not have the required permissions to view the files attached to this post.
NAS4Free 12.1.0.4 (revision 7542) x64-embedded on HP ProLiant N54L with AMD Turion(tm) II Neo Dual-Core Processor 4096 MB ECC RAM;
NAS4Free 12.1.0.4 (revision 7542) x64-embedded on Acer H341 with Intel Atom D410 4MB RAM

User avatar
alexey123
Moderator
Moderator
Posts: 1560
Joined: 19 Aug 2012 08:22
Location: Israel, Karmiel
Contact:
Status: Offline

Re: fail2ban?

#12

Post by alexey123 »

I'll check, I write script for 2235 version may be need correct patch part for webserv.conf.
In all cases - try to start webserv manually

Code: Select all

service websrv start
Home12.1.0.4 - Ingva (revision 7091)/ x64-embedded on AMD A8-7600 Radeon R7 A88XM-PLUS/ 16G RAM / UPS Ippon Back Power Pro 600
Lab 12.1.0.4 - Ingva (revision 7091) /x64-embedded on Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz / H61M-DS2 / 4G RAM / UPS Ippon Back Power Pro 600

bewoco
Starter
Starter
Posts: 28
Joined: 23 Apr 2015 14:26
Location: Germany
Status: Offline

Re: fail2ban?

#13

Post by bewoco »

Starting the Webserver manually (after fail2ban_start) does not work. It remains off.
NAS4Free 12.1.0.4 (revision 7542) x64-embedded on HP ProLiant N54L with AMD Turion(tm) II Neo Dual-Core Processor 4096 MB ECC RAM;
NAS4Free 12.1.0.4 (revision 7542) x64-embedded on Acer H341 with Intel Atom D410 4MB RAM

User avatar
crest
Hardware & Software Guru
Hardware & Software Guru
Posts: 550
Joined: 02 Jul 2012 22:25
Location: Vienna, Austria - GMT+1
Status: Offline

Re: fail2ban?

#14

Post by crest »

Hello Alexey,

started testing your fail2ban installation script (btw really great work !!!) without/with OBI ...

The integration into OBI with the following restrictions:
  1. needs at least N4F release 10.2.0.2.2235
  2. not available on ARM devices ... ? RIGHT?
and the following Prerequisites:
  1. activated Webserver
  2. activated Firewall and
  3. activated 'Disable the compression of repeated lines' under Diagnostics|Log|Settings
was very easy and the installation went well
screen_20160807_103721.png
I just added a tiny php-script

Code: Select all

<?php
$command = "fail2ban_start.sh";
$cmd = dirname(__FILE__)."/".$command;
require_once("config.inc");
require_once("functions.inc");
        $i =0;
		if ( is_array($config['rc']['postinit'] ) && is_array( $config['rc']['postinit']['cmd'] ) ) {
            for ($i; $i < count($config['rc']['postinit']['cmd']);) {
                if (preg_match("/$command/", $config['rc']['postinit']['cmd'][$i])) break; ++$i; }
        }
        $config['rc']['postinit']['cmd'][$i] = $config['cmd']."$cmd";
		write_config();
?>
to add the fail2ban_start.sh script to the command scripts automatically, so for OBI, users don't need to do it manually ... ;)

Start fail2ban

Code: Select all

n4f-10x-testbed-x64: fail2ban# ./fail2ban_start.sh
Stopping syslogd.
Waiting for PIDS: 51706.
Starting syslogd.
Performing sanity check on websrv configuration:
Syntax OK
Stopping websrv.
Waiting for PIDS: 51763.
Starting websrv.
Shutdown successful
2016-08-07 10:58:44,579 fail2ban.server         [53133]: INFO    Starting Fail2ban v0.9.4.dev0
2016-08-07 10:58:44,580 fail2ban.server         [53133]: INFO    Starting in daemon mode
was ok.

So far so good, BUT at the moment I'm not sure how to test fail2ban successfully ... :oops:

Regards
crest
You do not have the required permissions to view the files attached to this post.
NAS1: 11.2.0.4 - Omnius (Revision 6766) x64-embedded; MSI 760GM-P23; AMD Athlon(tm) II X2 250 7.58GiB RAM
NAS2: 11.2.0.4 - Omnius (Revision 6766) x64-embedded; MSI MS-7369; AMD Sempron(tm) LE-1250 8022MiB RAM
UPS: APC Back-UPS ES 550G
Extensions: OneButtonInstaller, Extended GUI, NextOwnCloud, BitTorrent Sync, Syncthing, Downloady, Midnight Commander, NCDU, MySQL, Rclone, Themes:

Post Reply

Return to “Suggestions & Requests”