On Sun, 3 Nov 2019, Phil Stracchino wrote:
On 2019-11-03 14:21, Bernardo Reino wrote:
On Sun, 3 Nov 2019, Phil Stracchino wrote:
I've been thinking about setting up exactly such a thing myself. Trying
to figure out how to make fail2ban talk to a Shorewall firewall on a
different box is just too much of a pain for such a fundamentally simple
task. It's like trying to set up a CNC mill when all you actually want
to do is file 2mm off a strike plate.
If you can do it locally, you can do it remotely (via ssh), like:
ssh remote-box whatever_local_shorewall_command
I assumed that was the approach to use, but I found fail2ban's
configuration and documentation opaque and confusing, and couldn't find
a good how-to that explained how to set it up. It was enough of a
headache that I decided my time was probably better spent building
something simple and lightweight purpose-built to do exactly what I want
it to than in trying to figure out the right subset of many complex
configuration options for a tool designed to do a whole lot of things I
don't actually need it to do.
You can create a custom action like:
$ cat /etc/fail2ban/action.d/local_action.conf
[Definition]
actionban = /usr/local/sbin/fail2ban_action.sh add <ip>
actionunban = /usr/local/sbin/fail2ban_action.sh delete <ip>
actioncheck =
actionstart =
actionstop =
[Init]
$
(exactly as is, the "<ip>" will then be replaced by fail2ban with the IP
to be blocked/unblocked).
Then in /usr/local/sbin/fail2ban_action.sh you write whatever you need to
add or delete an IP from the filter.
In my case it is:
$ cat /usr/local/sbin/fail2ban_action.sh
#!/bin/sh
# nftables, set = fail2ban
nft $1 element inet filter fail2ban { $2 } 2>&1
exit 0
$
If the firewall were remote instead of local, I would just change the
nft invocation to "ssh firewall nft ..."
Once set, you only need to adapt your /etc/fail2ban/jail.local to use
--
banaction = local_action
--
(or whatever name you choose for the action .conf file)
and of course, if not done already, enable the [sasl] module, like:
--
[sasl]
enabled = true
port = smtp,smtps,submission
filter = postfix-sasl
logpath = /var/log/mail.log
--
Hope that helps!
Good luck.
