search

webmin / webmin

Powerful and flexible web-based server management control panel
http://www.webmin.com/
BSD 3-Clause "New" or "Revised" License
4.26k stars 636 forks source link

fail2ban: configuration bug in 00-firewalld.conf #1681

Open digitaldutch opened 2 years ago

digitaldutch commented 2 years ago

Upgrading from Debian 9, I ran into fail2ban problems on Debian 10 and 11 (beta installer). It caused already banned warnings and iptables errors in fail2ban.log and bans not working.

The root of the problem is in /etc/fail2ban/jail.d/00-firewalld.conf not defining banaction_allports.

/etc/fail2ban/jail.conf has the default banactions set to iptables:

banaction = iptables-multiport
banaction_allports = iptables-allports

Webmin tells fail2ban to use firewalld instead in /etc/fail2ban/00-firewalld.conf, but not for the allports ban actions. The second line below is missing:

banaction = firewallcmd-ipset
banaction_allports = firewallcmd-allports <---- missing

Causing changes to be made by fail2ban to both firewalld and iptables at the same time. Not a good idea. The problem only shows up if you have an allports jail like recidive switched on. Debian 9 already had this misconfiguration but seems to be able to cope with it.

I noticed that the bug was also in centos from where I think the 00-firewalld.conf was copied.

I switched on firewalld ipset for allports too in 00-firewalld.conf:

banaction = firewallcmd-ipset[actiontype="<multiport>"]
banaction_allports = firewallcmd-ipset[actiontype="<allports>"]

This syntax works from fail2ban 10.2.2 Which is fine on Debian 10 and 11. Debian 9 is still on fail2ban 0.9.6, where firewallcmd-ipset only supports multiport. The new beta installer can use the ipset syntax above.

jcameron commented 2 years ago

Is this a Webmin bug though, or a bug in the default fail2ban config file?

digitaldutch commented 2 years ago

I was assuming that this is a webmin thing as @swelljoe mentions here https://github.com/webmin/webmin/issues/599#issue-236068540 that the file is generated by him:

The /etc/fail2ban/jail.d/00-firewalld.conf I'm generating for Ubuntu/Debian is copied from CentOS 7

Which also makes me think: Does the 00-firewalld.conf file get overwritten on an upgrade of webmin? If so the lines should probably go into a *.local file.

digitaldutch commented 2 years ago

Is this a Webmin bug though, or a bug in the default fail2ban config file?

Did an additional check. Clean Debian 11 minimal install. Added ipset, firewalld and fail2ban. After that there is no 00-firewalld.conf file in the /etc/fail2ban/jail.d folder.

digitaldutch commented 2 years ago

I think the bug is made here Virtualmin-Config/lib/Virtualmin/Config/Plugin/Fail2banFirewalld.pm

and here:Virtualmin-Config/lib/Virtualmin/Config/Plugin/Fail2ban.pm

banaction_allports is missing

[DEFAULT]
banaction = firewallcmd-ipset
EOF

It is also in these scripts that /etc/fail2ban/jail.d/00-firewalld.conf is created.

jcameron commented 2 years ago

Which also makes me think: Does the 00-firewalld.conf file get overwritten on an upgrade of webmin? If so the lines should probably go into a *.local file.

Webmin itself won't touch any of the fail2ban config files on upgrade.