Welcome to Centmin Mod Community
Register Now

Security fail2ban for Centmin Mod + CSF Firewall / Cloudflare API

Discussion in 'System Administration' started by eva2000, May 12, 2017.

  1. pamamolf

    pamamolf Premium Member Premium Member

    3,811
    369
    83
    May 31, 2014
    Ratings:
    +711
    Local Time:
    6:58 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    per minute correct?

    Sorry for the trouble George :(

    Any command to clear all "Added by Fail2Ban" entries from /etc/csf/csf.deny ?

    I just try:

    Code:
    sed '/Added by Fail2Ban/d' /etc/csf/csf.deny
    but it didn't work :(

    Thank you
     
    Last edited: Aug 26, 2017
  2. eva2000

    eva2000 Administrator Staff Member

    44,525
    10,170
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,742
    Local Time:
    1:58 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
  3. pamamolf

    pamamolf Premium Member Premium Member

    3,811
    369
    83
    May 31, 2014
    Ratings:
    +711
    Local Time:
    6:58 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    One last question:

    Did you test the mail function when is banning a user if it works or should i look around to configure it myself?

    for example this one:

    Code:
    sendmail-whois[name=xmlrpc, dest=root]
    Thank you
     
  4. buik

    buik “Winners never quit, and quitters never win.” Premium Member

    1,276
    343
    83
    Apr 29, 2016
    Ratings:
    +1,032
    Local Time:
    5:58 PM
    Sorry to write. But I have not read the 6 pages with comments.
    Why use CSF and Fail2ban at the same time?

    CSF does use a Daemon process that checks for login authentication failures for, just like Fail2ban.
    Also you could block bad hosts or bots just like Fail2ban.

    Is it because of the ability to add own filters/jails to Fail2ban?
    So you could create an ideal mix between both.
     
  5. pamamolf

    pamamolf Premium Member Premium Member

    3,811
    369
    83
    May 31, 2014
    Ratings:
    +711
    Local Time:
    6:58 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    After testing it better now I want say that it works great and the way that it works with csf and Cloudflare is amazing!!!

    Also it is very easy to add a custom rule ....

    Thanks George !!!!
     
  6. eva2000

    eva2000 Administrator Staff Member

    44,525
    10,170
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,742
    Local Time:
    1:58 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Yes that's why my fail2ban implementation disables sshd login ban and lets CSF Firewall do that part ;) Fail2ban is left to web app level jails to protect on layer 7 level which CSF Firewall can't do. And allows end users to create their own custom fail2ban jails for their specific web apps. Fail2ban is just using CSF Firewall interfaced actions for ban and blocks instead of iptables.

    haven't tested the mail function myself yet

    Glad to hear and thanks for some of the bug reporting too i.e. missing actions in some jails :)
     
  7. pamamolf

    pamamolf Premium Member Premium Member

    3,811
    369
    83
    May 31, 2014
    Ratings:
    +711
    Local Time:
    6:58 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    That's all info that i collect around for the mail function:

    Code:
    sendmail-whois[name=SSH, dest=root, sender=fail2ban@domain.com]
    change at config:
    Code:
    action = %(action_)s
    to
    Code:
    action = %(action_mwl)s
    or
    Code:
    action = %(action_mw)s
    You will also need to adjust the action setting, which defines what actions occur when the threshold for ban is met.
    The default, %(action_)s, only bans the user. %(action_mw)s will ban and send an email with a WhoIs report; while %(action_mwl)s
    will ban and send an email with the WhoIs report and all relevant lines in the log file.

    You should change
    Code:
    mta = sendmail
    to
    Code:
    mta = mail
    But today i don't have time to test it :(

    Don't know if you can see anything wrong on that info that will not work with Centminmod setup and postifix so i can avoid that parameter .... ?
     
  8. pamamolf

    pamamolf Premium Member Premium Member

    3,811
    369
    83
    May 31, 2014
    Ratings:
    +711
    Local Time:
    6:58 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    Ok i got a few minutes to test it :)

    So email function is not working on default installation setup.

    I was able to fix this by editing:

    Code:
    /etc/fail2ban/jail.local
    and i add on top at the defaults settings this:

    Code:
    # email action. Since 0.8.1 upstream fail2ban uses sendmail
    # MTA for the mailing. Change mta configuration parameter to mail
    # if you want to revert to conventional 'mail'.
    #mta = sendmail
    mta = mail
    Then i use this line for the email alert:

    Code:
    mail-whois[name=JailName, dest=myemail@gmail.com, sender=fail2ban@mydomain.com]
    Then after restarting fail2ban i was able to get email notifications :)

    The only issues that it has now is:

    1)Email title has:

    Code:
    from localhost.localdomain
    Don't know how to set that to hostname :(

    2)In the email there is a warning for missing whois software:

    Code:
    missing whois program
    I did try to install it like: yum install whois

    but it doesn't locate it so it can use it :(

    I also try yum install jwhois and got:

    Code:
    [Querying whois.ripe.net]
    [Unable to connect to remote host]
    missing whois program
    If you can fix those two issues it will be great !!!!!!

    Thank you
     
    Last edited: Aug 26, 2017
  9. eva2000

    eva2000 Administrator Staff Member

    44,525
    10,170
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,742
    Local Time:
    1:58 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
  10. pamamolf

    pamamolf Premium Member Premium Member

    3,811
    369
    83
    May 31, 2014
    Ratings:
    +711
    Local Time:
    6:58 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    Until you got some time to do your checks for the two above issues i think it will be good to do some edits that will help a lot...

    So i want to recommend :)

    Add at /etc/fail2ban/jail.local defaults on top (with some comments maybe):

    Code:
    mta = mail
    dest=myemail@gmail.com
    sender=fail2ban@mydomain.com
    and on the same file at all jail rules on bottom of the action option this:

    Code:
    mail[name=SSH, dest=what the user has set on top of the file, sender=what the user has set on top of the file]
    Like this:

    action = csfdeny[name=http-xensec]
    Code:
    mail[name=SSH, dest=what the user has set on top of the file, sender=what the user has set on top of the file]
    But all those lines under the action must be commented and the user must enable which one he want to :)
     
  11. pamamolf

    pamamolf Premium Member Premium Member

    3,811
    369
    83
    May 31, 2014
    Ratings:
    +711
    Local Time:
    6:58 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    Also how can i totally disable startup for fail2ban as when i stop it after the server restart it is up and running ....?
     
  12. pamamolf

    pamamolf Premium Member Premium Member

    3,811
    369
    83
    May 31, 2014
    Ratings:
    +711
    Local Time:
    6:58 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    That's the info that i found that may help with the hostname on email subject:

    Code:
    https://github.com/fail2ban/fail2ban/issues/1653
    https://github.com/fail2ban/fail2ban/issues/1859
    https://blog.pregos.info/2014/05/10/fail2ban-hostname-im-subject-emails-vom-01-01-1970/
    One of them has a related fix at the latest 0.11 ....Don't know if that's the issue now ....

    Hope that help....
     
  13. eva2000

    eva2000 Administrator Staff Member

    44,525
    10,170
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,742
    Local Time:
    1:58 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    thanks will take a look

    why would you want to do that ? it's normal service chkconfig off or systemctl disable for the service.

    cheers
     
  14. pamamolf

    pamamolf Premium Member Premium Member

    3,811
    369
    83
    May 31, 2014
    Ratings:
    +711
    Local Time:
    6:58 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    In case that i change my mind and i don't want to use it any more.....So if i just stop it then after restart it will auto start and i will not even remember that :)

    I will wait for your edits/fixes :)

    Thank you !!!
     
  15. pamamolf

    pamamolf Premium Member Premium Member

    3,811
    369
    83
    May 31, 2014
    Ratings:
    +711
    Local Time:
    6:58 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    After checking a bit the Nginx get f5 option i think we can re enable it as default but with a higher value at 25 - 30 :)

    So if you want re enable it as default please with a higher value as it may be useful ....

    Thank you
     
  16. eva2000

    eva2000 Administrator Staff Member

    44,525
    10,170
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,742
    Local Time:
    1:58 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    ok. but let's leave it disabled for now :)
     
  17. pamamolf

    pamamolf Premium Member Premium Member

    3,811
    369
    83
    May 31, 2014
    Ratings:
    +711
    Local Time:
    6:58 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    I just try to install it on a new server and failed :(

    Code:
    CentOS Linux release 7.3.1611 (Core) - Dedicated server
    Code:
    mkdir -p /root/tools
    cd /root/tools
    git clone https://github.com/centminmod/centminmod-fail2ban
    cd centminmod-fail2ban
    ./fail2ban.sh install
    Error at the installation:

    Code:
    cp: cannot stat ‘/svr-setup/fail2ban/files/fail2ban.service’: No such file or directory
    and at the end:

    Code:
    Failed to stop fail2ban.service: Unit fail2ban.service not loaded.
    Failed to start fail2ban.service: Unit not found.
    Failed to execute operation: No such file or directory
    
    Unit fail2ban.service could not be found.
    
     Failed to access socket path: /var/run/fail2ban/fail2ban.sock. Is fail2ban running?
    :(

    It looks like that the automated setup is missing some commands from the manual installation instructions... ?
     
    Last edited: Sep 5, 2017
  18. eva2000

    eva2000 Administrator Staff Member

    44,525
    10,170
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,742
    Local Time:
    1:58 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
  19. pamamolf

    pamamolf Premium Member Premium Member

    3,811
    369
    83
    May 31, 2014
    Ratings:
    +711
    Local Time:
    6:58 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    Yup :)

    The first time i was run first the manual installation commands so i didn't have that issue....

    Now that i try it on the second server using the automated way only i got that issue :)
     
  20. eva2000

    eva2000 Administrator Staff Member

    44,525
    10,170
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,742
    Local Time:
    1:58 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x