The officially official Devuan Forum!

You are not logged in.

#1 2023-03-09 12:09:10

bai4Iej2need
Member
From: Ortenau
Registered: 2021-04-25
Posts: 117  

[SOLVED] fail2ban banactions, convert from iptables to nftables

Hi
i have this chimaera fresh install, apache2 ,
with fail2ban and nftables
iptables is purged, as it was pulled in (IIRC)
but many fail2ban ban actions are set up to be iptables-<something>

and the log complains about functions not found:

-- exec: iptables -w -N f2b-apache-auth: 1 Time(s)
-- stderr: '/bin/sh: 1: iptables: not found': 1 Time(s)

Failed to execute ban jail 'apache-auth' action 'iptables-multiport' info '...: 1 Time(s)
Failed to execute ban jail 'apache-noscript' action 'iptables-multiport' in...: 1 Time(s)
Failed to execute ban jail 'apache-overflows' action 'iptables-multiport' i...: 1 Time(s)

How to convert all references to iptables into the fitting references to nftables ?
BTW : I took the server off the WAN, to avoid problems.


The devil, you know, is better than the angel, you don't know. by a British Citizen, I don't know too good.
One generation abandons the enterprises of another like stranded vessels. By Henry David Thoreau, WALDEN, Economy. Line 236 (Gutenberg text Version)
broken by design :
https://bugs.debian.org/cgi-bin/bugrepo … bug=958390

Offline

#2 2023-03-09 14:58:25

Marjorie
Member
From: Teignmouth, UK
Registered: 2019-06-09
Posts: 221  

Re: [SOLVED] fail2ban banactions, convert from iptables to nftables

Wondering if you've ended up with some form of hybrid iptables/nftables fail2ban config.

can you post the contents of your  /etc/fail2ban/jail.conf and /etc/fail2ban/jail.local file?

I used this guide to set up my mail system (with apache2 and postfix/dovecot support)
https://workaround.org/bullseye/firewal … igation-2/
I just needed translate the usual systemd systemctl call to sysvintit service calls.

Offline

#3 2023-03-09 21:11:37

ralph.ronnquist
Administrator
From: Battery Point, Tasmania, AUS
Registered: 2016-11-30
Posts: 1,251  

Re: [SOLVED] fail2ban banactions, convert from iptables to nftables

@bai4Iej2need, you could also just install iptables, couldn't you?

Offline

#4 2023-03-10 12:02:43

bai4Iej2need
Member
From: Ortenau
Registered: 2021-04-25
Posts: 117  

Re: [SOLVED] fail2ban banactions, convert from iptables to nftables

@Marjorie

Wondering if you've ended up with some form of hybrid iptables/nftables fail2ban config.

Yes, this is the case.

can you post the contents of your  /etc/fail2ban/jail.conf and /etc/fail2ban/jail.local file?

fail2ban-client status
Status
|- Number of jail:	12
`- Jail list:	apache-auth, apache-badbots, apache-botsearch, apache-fakegooglebot, apache-modsecurity, apache-nohome, \
apache-noscript, apache-overflows, apache-shellshock, nextcloud, sshd, sshlongterm

I deleted all not active settings in following (>900 lines) in jail.conf. They are for applications, which are not installed.

grep -nv (.... many items) jail.conf
33:[INCLUDES]
36:before = paths-debian.conf
41:[DEFAULT]
92:ignoreip = 127.0.0.1/8 ::1 192.168.4.0/24 192.168.178.0/24
98:ignorecommand =
101:bantime  = 10m
105:findtime  = 10m
108:maxretry = 5
111:maxmatches = %(maxretry)s
132:backend = auto
143:usedns = warn
150:logencoding = auto
158:enabled = false
162:mode = normal
167:filter = %(__name__)s[mode=%(mode)s]
178:destemail = root@localhost
181:sender = root@<fq-hostname>
186:mta = sendmail
189:protocol = tcp
192:chain = <known/chain>
196:port = 0:65535
199:fail2ban_agent = Fail2Ban/%(fail2ban_version)s
208:banaction = iptables-multiport
209:banaction_allports = iptables-allports
212:action_ = %(banaction)s[port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
215:action_mw = %(action_)s
216:            %(mta)s-whois[sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
220:action_mwl = %(action_)s
221:             %(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
227:action_xarf = %(action_)s
228:             xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath="%(logpath)s", port="%(port)s"]
232:action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
233:                %(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
243:action_blocklist_de  = blocklist_de[email="%(sender)s", service="%(__name__)s", apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
253:action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]
257:action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]
263:action_abuseipdb = abuseipdb
268:action = %(action_)s
279:[sshd]
285:port    = ssh
286:logpath = %(sshd_log)s
287:backend = %(sshd_backend)s
...
297:[selinux-ssh]
299:port     = ssh
300:logpath  = %(auditd_log)s
307:[apache-auth]
309:port     = http,https
310:logpath  = %(apache_error_log)s
313:[apache-badbots]
316:port     = http,https
317:logpath  = %(apache_access_log)s
318:bantime  = 48h
319:maxretry = 1
322:[apache-noscript]
324:port     = http,https
325:logpath  = %(apache_error_log)s
328:[apache-overflows]
330:port     = http,https
331:logpath  = %(apache_error_log)s
332:maxretry = 2
335:[apache-nohome]
337:port     = http,https
338:logpath  = %(apache_error_log)s
339:maxretry = 2
342:[apache-botsearch]
344:port     = http,https
345:logpath  = %(apache_error_log)s
346:maxretry = 2
349:[apache-fakegooglebot]
351:port     = http,https
352:logpath  = %(apache_access_log)s
353:maxretry = 1
354:ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip>
357:[apache-modsecurity]
359:port     = http,https
360:logpath  = %(apache_error_log)s
361:maxretry = 2
364:[apache-shellshock]
366:port    = http,https
367:logpath = %(apache_error_log)s
368:maxretry = 1
...

581:[postfix]
583:mode    = more
584:port    = smtp,465,submission
585:logpath = %(postfix_log)s
586:backend = %(postfix_backend)s
589:[postfix-rbl]
591:filter   = postfix[mode=rbl]
592:port     = smtp,465,submission
593:logpath  = %(postfix_log)s
594:backend  = %(postfix_backend)s
595:maxretry = 1
598:[sendmail-auth]
600:port    = submission,465,smtp
601:logpath = %(syslog_mail)s
602:backend = %(syslog_backend)s
605:[sendmail-reject]
610:port     = smtp,465,submission
611:logpath  = %(syslog_mail)s
612:backend  = %(syslog_backend)s
...
675:[postfix-sasl]
677:filter   = postfix[mode=auth]
678:port     = smtp,465,submission,imap,imaps,pop3,pop3s
682:logpath  = %(postfix_log)s
683:backend  = %(postfix_backend)s
...
825:[pam-generic]
827:banaction = %(banaction_allports)s
828:logpath  = %(syslog_authpriv)s
829:backend  = %(syslog_backend)s
...

855:tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039
856:udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015
857:action_  = %(default/action_)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp"]
858:           %(default/action_)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp"]
860:[softethervpn]
861:port     = 500,4500
862:protocol = udp
863:logpath  = /usr/local/vpnserver/security_log/*/sec.log
865:[gitlab]
866:port    = http,https
867:logpath = /var/log/gitlab/gitlab-rails/application.log
...
948:[phpmyadmin-syslog]
949:port    = http,https
950:logpath = %(syslog_authpriv)s
951:backend = %(syslog_backend)s
...
conf_grep.bash /etc/fail2ban/jail.d/jail.local 
1:[sshlongterm]
2:port    = ssh
3:logpath = %(sshd_log)s
4:backend = %(sshd_backend)s
5:banaction = nftables-multiport
6:maxretry  = 35
7:findtime  = 259200
8:bantime   = 608400
9:enabled   = true
10:filter    = sshd

@ralph.ronnquist

you could also just install iptables, couldn't you?

Yes I could, but the information of debian says, that iptables expires and nftables is the replacement and now the default for bullseye.
Why invest into the history ?
I was expecting to get a neat installation without leftovers from >=4 upgrades. (3 debian..2debianbuster,1 debianbuster2devuanbeowulf
and skipped the upgrade bewulf2chimaera,which was already pending.
And I expected to have a working OOTB interaction between fail2ban and nftables due to debians annoncement of nftables as default.

So as I made a fresh chimaera install anyhow, I cover this change (ip 2 nf) in the tables in the fresh chimaera installation too.


The devil, you know, is better than the angel, you don't know. by a British Citizen, I don't know too good.
One generation abandons the enterprises of another like stranded vessels. By Henry David Thoreau, WALDEN, Economy. Line 236 (Gutenberg text Version)
broken by design :
https://bugs.debian.org/cgi-bin/bugrepo … bug=958390

Offline

#5 2023-03-10 12:51:51

ralph.ronnquist
Administrator
From: Battery Point, Tasmania, AUS
Registered: 2016-11-30
Posts: 1,251  

Re: [SOLVED] fail2ban banactions, convert from iptables to nftables

I suggested you install iptables just because that would solve your problem; whether "debian" prefers that in their default installation or not doesn't seem to be particularly relevant or important to me. I think of it as one of the advantages with debian's and thus devuan's large repository that often there are alternative solutions to various functionalities, and then you stack solutions that work together.

E.g., apparently fail2ban works with iptables, so if one wants fail2ban one also installs iptables. Of course, since both nftables and iptables are support software operating on the kernel's network filtering subsystem you might not want both or at least you may have to take some care to make their usages complement each other.

Offline

#6 2023-03-10 12:58:31

Marjorie
Member
From: Teignmouth, UK
Registered: 2019-06-09
Posts: 221  

Re: [SOLVED] fail2ban banactions, convert from iptables to nftables

In your /etc/fail2ban/jail.conf I notice you have:

208:banaction = iptables-multiport
209:banaction_allports = iptables-allports

In my version (which works) I have:

# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = nftables[type=multiport]
banaction_allports = nftables[type=allports]

also my  /etc/fail2ban/jail.local starts:

[DEFAULT]
banaction = nftables
chain     = input

[apache-auth]
enabled = true

NB all my subsequent jails after [apache-auth] are for postfix/dovecot as I only actively use apache to get my letsencrypt certificates (a webpage also exists).

So your fail2ban is calling iptables for banactions when you've deleted it. My version just invokes nftables.

The problem maybe that the switch from iptables to nftables is still incomplete in Chimaera and the default version still uses iptables commands that are then translated to nftables syntax. The underlying kernel module *is* now nftables.

My mail server was originally created in Beowulf ad novo using the guide that I referenced so is strict nftables (no iptables) while my own workstation is still using iptables (it began as asciii). Both were subsequently upgraded to Chimaera. The workstation doesn't need fail2ban.

Last edited by Marjorie (2023-03-10 13:02:54)

Offline

#7 2023-03-10 13:07:16

ralph.ronnquist
Administrator
From: Battery Point, Tasmania, AUS
Registered: 2016-11-30
Posts: 1,251  

Re: [SOLVED] fail2ban banactions, convert from iptables to nftables

@Marjorie: I think it's slightly misleading to say that the kernel module is nftables; rather it's the netfiltering subsystem that is targeted by either (or both) iptables rules and nft rules. And the main change in iptables is in using the netfilter socket for its kernel interactions rather than ioctls that it used previously. I guess you are clear on this, but generally there's a lot of confusion on this topic.

Basically nft rules and iptables rules do the same things with different syntax. As far as I know they are alternatives for the same function, except that iptables allows use of ipset, which is something that hasn't got into nft yet.

Offline

#8 2023-03-10 14:12:26

Marjorie
Member
From: Teignmouth, UK
Registered: 2019-06-09
Posts: 221  

Re: [SOLVED] fail2ban banactions, convert from iptables to nftables

Hi Ralph. Yes, perhaps I'm just not very good at expressing my understanding of this.

The Debian wiki says:

Starting with Debian 10 Buster, nf_tables is the default backend when using iptables, by means of the iptables-nft layer (i.e, using iptables syntax with the nf_tables kernel subsystem). This also affects ip6tables, arptables and ebtables.

You can switch back and forth between iptables-nft and iptables-legacy by means of update-alternatives (same applies to arptables and ebtables).

So I suspect that in the default installation the fail2ban configuration assumes that iptables is installed, calls iptables and uses iptables-nft to translate.
Not quite the same thing as going nftables native.

Hence it seems that the simplest solution for the OP is, as you have said, to reinstall iptables.

Last edited by Marjorie (2023-03-10 14:13:16)

Offline

#9 2023-03-12 13:26:21

bai4Iej2need
Member
From: Ortenau
Registered: 2021-04-25
Posts: 117  

Re: [SOLVED] fail2ban banactions, convert from iptables to nftables

Hi Ralph and Majorie

2 days ago I did the fixes as described by Majorie, and I observe the logs now.  No complaints from logwatch until now !
One Ban action has taken place yesterday. I keep fingers crossed !


The devil, you know, is better than the angel, you don't know. by a British Citizen, I don't know too good.
One generation abandons the enterprises of another like stranded vessels. By Henry David Thoreau, WALDEN, Economy. Line 236 (Gutenberg text Version)
broken by design :
https://bugs.debian.org/cgi-bin/bugrepo … bug=958390

Offline

Board footer