Open digitaldutch opened 2 years ago
Is this a Webmin bug though, or a bug in the default fail2ban config file?
I was assuming that this is a webmin thing as @swelljoe mentions here https://github.com/webmin/webmin/issues/599#issue-236068540 that the file is generated by him:
The /etc/fail2ban/jail.d/00-firewalld.conf I'm generating for Ubuntu/Debian is copied from CentOS 7
Which also makes me think: Does the 00-firewalld.conf file get overwritten on an upgrade of webmin? If so the lines should probably go into a *.local file.
Is this a Webmin bug though, or a bug in the default fail2ban config file?
Did an additional check. Clean Debian 11 minimal install. Added ipset, firewalld and fail2ban. After that there is no 00-firewalld.conf file in the /etc/fail2ban/jail.d folder.
I think the bug is made here Virtualmin-Config/lib/Virtualmin/Config/Plugin/Fail2banFirewalld.pm
and here:Virtualmin-Config/lib/Virtualmin/Config/Plugin/Fail2ban.pm
banaction_allports is missing
[DEFAULT]
banaction = firewallcmd-ipset
EOF
It is also in these scripts that /etc/fail2ban/jail.d/00-firewalld.conf
is created.
Which also makes me think: Does the 00-firewalld.conf file get overwritten on an upgrade of webmin? If so the lines should probably go into a *.local file.
Webmin itself won't touch any of the fail2ban config files on upgrade.
Upgrading from Debian 9, I ran into fail2ban problems on Debian 10 and 11 (beta installer). It caused already banned warnings and iptables errors in fail2ban.log and bans not working.
The root of the problem is in /etc/fail2ban/jail.d/00-firewalld.conf not defining banaction_allports.
/etc/fail2ban/jail.conf has the default banactions set to iptables:
Webmin tells fail2ban to use firewalld instead in
/etc/fail2ban/00-firewalld.conf
, but not for the allports ban actions. The second line below is missing:Causing changes to be made by fail2ban to both firewalld and iptables at the same time. Not a good idea. The problem only shows up if you have an allports jail like recidive switched on. Debian 9 already had this misconfiguration but seems to be able to cope with it.
I noticed that the bug was also in centos from where I think the 00-firewalld.conf was copied.
I switched on firewalld ipset for allports too in 00-firewalld.conf:
This syntax works from fail2ban 10.2.2 Which is fine on Debian 10 and 11. Debian 9 is still on fail2ban 0.9.6, where firewallcmd-ipset only supports multiport. The new beta installer can use the ipset syntax above.