Syncing IP's from fail2ban

SamTzu

Renowned Member
I have been testing my script to copy fail2ban log files to Proxmox firewall and have managed to make it work... one time :)

Code:
cat /root/bin/banned2proxmox.sh

#!/bin/bash
#

# Sync fail2ban log files from client servers
rsync -a root@vm1.ic4.eu:/var/log/fail2ban.log /root/bin/fail2ban-vm1.log
rsync -a root@vm2.ic4.eu:/var/log/fail2ban.log /root/bin/fail2ban-vm2.log

# Clean up the logs and only show IP addressess
zgrep -h "Ban " /root/bin/fail2* | awk '{print $NF}' | sort | sort -n -r | tail -100 > /root/bin/banned.txt

# Only show uniq IP's and copy it to the end of cluster.fw

## Using date as IPSET name does not work... yet.
## echo "[IPSET $(date -I)]" >> /etc/pve/firewall/cluster.fw

# In the mean while make sure you have IPSET rule named XXX at the bottom of cluster.fw file
# It should look like this [IPSET XXX]
sort /root/bin/banned.txt | uniq -u >> /etc/pve/firewall/cluster.fw

This works but it requires that there is an IPSET rule named XXX at the bottom of cluster.fw file.
If IPSET rules would work with [IPSET $(date -I)] we could just add this script to cron using @daily /root/bin/banned2.proxmox.sh.
 
Last edited:
I got this to work using daily cron job.

Code:
root@vm2401:~# cat /root/bin/banned2proxmox.sh

#!/bin/bash
#

# Sync fail2ban log files from client servers
rsync -a root@vm1.ic4.eu:/var/log/fail2ban.log /root/bin/fail2ban-vm1.log
rsync -a root@vm2.ic4.eu:/var/log/fail2ban.log /root/bin/fail2ban-vm2.log

# Clean up the logs and only show IP addressess
zgrep -h "Ban " /root/bin/fail2* | awk '{print $NF}' | sort | sort -n -r | tail -100 > /root/bin/banned.list

# Remove duplicates and unwanted characters from the IP list and copy it to the end of cluster.fw
## Using ISO date as IPSET name does not work... yet. So we remove unwanted characters.
echo "" > /root/bin/daily.list
echo "[IPSET Stardate$(date -I)]" |sed 's/[-]//g' >> /root/bin/daily.list

# Copy banned list after daily.list
sort /root/bin/banned.list | uniq -u >> /root/bin/daily.list

# Copy daily.list to the bottom of cluster.fw
cat /root/bin/daily.list >> /etc/pve/firewall/cluster.fw
 
Last edited:
  • Like
Reactions: Tmanok
Two questions:

- What is "client servers"?
- Why would you do this in the first place?

Thanks
 
Two questions:

- What is "client servers"?
- Why would you do this in the first place?

Thanks
Perhaps if you don't have an enterprise firewall and you either want a honeypot vm that sits out on the open to proactively catch crawlers and then ban them cluster-wide or you have many servers that are all receiving malicious activity and want to sort them uniquely.

Shouldn't those IPs be coming from the Fail2ban jail lists and not the standard logs? Seems a little too paranoid and possibly eroneous in case you or an end user accidentally type their password in to something twice... Then you're perma-banned from the whole cluster.

Cheers,

Tmanok
 
Actually I'm using Proxmox FireWall's rather than "Enterprise Firewall" for many reasons.
Most importantant is the cluster and the flexibility it provides. It's really simple and scalable. It's client friendly (LXC's are managed by clients themselves.) No need to write a ticket and wait a few days to fix simple problems.
I would like to see some FW plugins though. Inter action with other FW like systems like fail2ban.
 
  • Like
Reactions: Tmanok

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!