Koozali.org, home of the SME Server

Fail2ban not so helpful anymore

Offline holck

  • *
  • 290
  • +1/-0
Fail2ban not so helpful anymore
« on: January 15, 2022, 11:30:22 AM »
Apparently, malware writers have found ways to live with and circumvent fail2ban. Here are a few examples from my server, showing in the first column the IP-address, and in the second column the time of the attack.

Attacks from subnets instead of single IPs:
Code: [Select]
163.123.141.100 - 2022-01-12 15:30:20
163.123.141.100 - 2022-01-12 15:38:57
163.123.141.101 - 2022-01-12 12:00:22
163.123.141.101 - 2022-01-12 12:06:41
163.123.141.104 - 2022-01-12 23:21:35
163.123.141.104 - 2022-01-12 23:22:58
163.123.141.105 - 2022-01-12 19:30:27
163.123.141.105 - 2022-01-12 19:35:25
163.123.141.106 - 2022-01-12 14:31:15
163.123.141.106 - 2022-01-12 14:33:52
163.123.141.107 - 2022-01-12 18:00:26
163.123.141.107 - 2022-01-12 18:03:15
163.123.141.108 - 2022-01-12 21:21:42
163.123.141.108 - 2022-01-12 21:28:07
163.123.141.109 - 2022-01-12 12:30:23
163.123.141.109 - 2022-01-12 12:33:46
163.123.141.109 - 2022-01-12 12:40:24
163.123.141.109 - 2022-01-12 12:40:24
163.123.141.110 - 2022-01-12 20:02:08
163.123.141.110 - 2022-01-12 20:02:45
163.123.141.110 - 2022-01-12 20:12:10
163.123.141.110 - 2022-01-12 20:12:10
163.123.141.111 - 2022-01-12 17:00:32
163.123.141.111 - 2022-01-12 17:02:58
163.123.141.112 - 2022-01-12 22:51:28
163.123.141.112 - 2022-01-12 22:53:46
163.123.141.114 - 2022-01-12 16:01:02
163.123.141.114 - 2022-01-12 16:04:58
163.123.141.116 - 2022-01-12 13:31:06
163.123.141.116 - 2022-01-12 13:33:44
163.123.141.119 - 2022-01-12 19:00:30
163.123.141.119 - 2022-01-12 19:07:35
163.123.141.120 - 2022-01-12 17:31:41
163.123.141.120 - 2022-01-12 17:35:04
163.123.141.121 - 2022-01-12 12:59:24
163.123.141.121 - 2022-01-12 13:01:54
163.123.141.122 - 2022-01-12 15:01:09
163.123.141.122 - 2022-01-12 15:03:00
163.123.141.123 - 2022-01-12 21:51:24
163.123.141.123 - 2022-01-12 21:55:23
163.123.141.124 - 2022-01-12 23:51:16
163.123.141.124 - 2022-01-12 23:55:25
163.123.141.125 - 2022-01-12 11:32:03
163.123.141.125 - 2022-01-12 11:43:35
163.123.141.125 - 2022-01-12 11:46:18
163.123.141.125 - 2022-01-12 11:46:19
163.123.141.126 - 2022-01-12 14:00:28
163.123.141.126 - 2022-01-12 14:03:13

"Lazy" attacks: make a try, wait a little, make a try ...
Code: [Select]
178.176.175.178 - 2022-01-09 17:07:41
178.176.175.178 - 2022-01-09 17:07:48
178.176.175.178 - 2022-01-09 17:07:54
178.176.175.178 - 2022-01-09 17:07:54
178.176.175.178 - 2022-01-10 20:21:11
178.176.175.178 - 2022-01-10 20:21:16
178.176.175.178 - 2022-01-12 08:51:03
178.176.175.178 - 2022-01-12 08:51:05
178.176.175.178 - 2022-01-12 08:51:08
178.176.175.178 - 2022-01-12 08:51:08
178.176.175.178 - 2022-01-13 17:55:04
178.176.175.178 - 2022-01-13 17:55:05
178.176.175.178 - 2022-01-13 17:55:13
178.176.175.178 - 2022-01-13 17:55:13
178.176.175.178 - 2022-01-14 22:20:16
178.176.175.178 - 2022-01-14 22:20:20
178.176.175.178 - 2022-01-14 22:20:22
178.176.175.178 - 2022-01-14 22:20:22

Also, it's obvious from the log files, that attackers are able to coordinate attacks from different IP-addresses.

I'll be glad to hear what other in this forum are doing to prevent this.

Jesper, Denmark
......

Offline mmccarn

  • *
  • 2,573
  • +5/-0
Re: Fail2ban not so helpful anymore
« Reply #1 on: January 15, 2022, 04:47:31 PM »
I created a jail for '91Portscan' and customized '90Recidive' and '05IgnoreIP'

https://github.com/mmccarn/smeserver/tree/42efa28d38e11a477f2f4a460d1a54d005241fb5/templates-custom/etc/fail2ban/jail.conf

My current settings:
* recidive looks for 3 attacks over 3 days and bans offenders for 21 days
* portscan looks for 4 attacks over 3 days and bans offenders for 21 days

Code: [Select]
# config show fail2ban
fail2ban=service
    BanTime=259200
    FindTime=43200
    IgnoreIP=[REDACTED]
    Mail=disabled
    MailRecipient=mmccarn@REDACTED]
    MaxRetry=2
    PortscanBanTime=1814400
    PortscanFindTime=259200
    PortscanMaxRetry=4
    RecidiveBanTime=1814400
    RecidiveFindTime=259200
    RecidiveMaxRetry=3
    status=enabled


There is fail2ban work for banning entire subnets, but I couldn't get it to work when I last worked on this (3 years ago / SME 9.2 / fail2ban-09.6-1)

Offline ReetP

  • *
  • 3,183
  • +5/-0
Re: Fail2ban not so helpful anymore
« Reply #2 on: January 16, 2022, 06:43:12 PM »
Jesper,

Frustratingly security is a continual war and nothing stands still. Just have to roll with it.

Mike,

we could look at integrating those mods? Can you open a bug?

Where did you get stuck on subnets?

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline mmccarn

  • *
  • 2,573
  • +5/-0
Re: Fail2ban not so helpful anymore
« Reply #3 on: January 20, 2022, 01:36:49 PM »
Where did you get stuck on subnets?

I found my notes on fail2ban-subnets on the wiki "talk" page: https://wiki.koozali.org/Talk:Fail2ban

From that page, it looks I got it to a point where I got no obvious error messages, but I couldn't figure out how to verify that it actually works.  I have ~5 months of fail2ban daemon logs - none of those show any evidence that any subnet has ever been blocked.  I also have /var/log/fail2ban-subnets.log from 2017_08_18 through 2022_01_20; every log entry is basically "fail2ban-subnets.py: INFO started with an analysis over 16 weeks"

fail2ban Portscan: NFR: Portscan Jail
fail2ban Recidive: no bug at this time
fail2ban Subnets: no bug at this time

Offline ReetP

  • *
  • 3,183
  • +5/-0
Re: Fail2ban not so helpful anymore
« Reply #4 on: January 20, 2022, 03:35:56 PM »
Quote
I found my notes on fail2ban-subnets on the wiki "talk" page: https://wiki.koozali.org/Talk:Fail2ban

Roger - got it.

Blimey that script is a bit kludgy, and I can barely read python, let alone write it!

So the normal process for F2B (correct me if I am wrong)

Read/Execute jail.conf
Read/Execute filter on log file
Read/Execute action smeserver-iptables with results

The problem here is the subnet python script tries to execute iptables itself - not good. It could almost be a totally standalone system.

So trying to work this through.

First - we don't need .local dirs - just use the existing ones.

We don't need the action script. We need to use the smeserver-iptables one.

The fail2ban-subnets.py file should really parse the required fail2ban logs, find the requisite subnets and write them to a subnet log which can then be processed by the filter file and F2B itself for banning by the smeserver-iptables action(I think) - that can be done on a cron with the script in say /usr/local/bin

Currently when it runs it doesn't really do anything as it is trying to add to a iptable that does not exist and that is because SME handles the tables itself, as above.

So it never gets past the initial logger message:

Code: [Select]
logger.info("started with an analysis over %s" % human_readable_time(findtime))
I also can't see where else it actually logs the guilty subnets!!

Anyway, the filter script should have a filter that takes the subnets in the log and then adds them via the smeserver-iptables action.

Currently the filter just tells you what is in the subnet.log file - it does nothing really! Check say the recidive filter or similar for comparison.


So IMHO it really needs some rewriting. I could probably do it in perl (I already have some other perl subnet stuff kicking about), but not python :roll:


Further reading:

https://github.com/fail2ban/fail2ban/issues/927
https://unix.stackexchange.com/questions/181114/how-can-i-teach-fail2ban-to-detect-and-block-attacks-from-a-whole-network-block
https://github.com/fail2ban/fail2ban/issues/2261


(Not sure if you meant this on the wiki!!:)

Quote
Test
cd ~/addons/fail2ban-subnets
perl fail2ban-subnets.py << with perl ?? !!



Let me know your thoughts - be interested to look at this if we can get something workable, but note it can be dangerous if you ban a big range!!

I can't do much else myself right now as I have been off work with my gammy back for over a week and so I'm waaaaaaaaay behind. But happy to look at anything you might conjure up.


E&OE :-)
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Online Jean-Philippe Pialasse

  • *
  • 2,041
  • +6/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Fail2ban not so helpful anymore
« Reply #5 on: January 22, 2022, 03:50:47 AM »
i have recently updated the smeserver fail2ban iptable script to accept subnet and not only ip.  this could help in using this strategy …