Syncing IP's from fail2ban

[SamTzu]

I have been testing my script to copy fail2ban log files to Proxmox firewall and have managed to make it work... one time

cat /root/bin/banned2proxmox.sh

#!/bin/bash
#

# Sync fail2ban log files from client servers
rsync -a root@vm1.ic4.eu:/var/log/fail2ban.log /root/bin/fail2ban-vm1.log
rsync -a root@vm2.ic4.eu:/var/log/fail2ban.log /root/bin/fail2ban-vm2.log

# Clean up the logs and only show IP addressess
zgrep -h "Ban " /root/bin/fail2* | awk '{print $NF}' | sort | sort -n -r | tail -100 > /root/bin/banned.txt

# Only show uniq IP's and copy it to the end of cluster.fw

## Using date as IPSET name does not work... yet.
## echo "[IPSET $(date -I)]" >> /etc/pve/firewall/cluster.fw

# In the mean while make sure you have IPSET rule named XXX at the bottom of cluster.fw file
# It should look like this [IPSET XXX]
sort /root/bin/banned.txt | uniq -u >> /etc/pve/firewall/cluster.fw

This works but it requires that there is an IPSET rule named XXX at the bottom of cluster.fw file.
If IPSET rules would work with [IPSET $(date -I)] we could just add this script to cron using @daily /root/bin/banned2.proxmox.sh.

 

[SamTzu]

It's possible to keep adding XXX1, XXX2 etc at the bottom of the file but as soon as cluster firewall rules are modified the Proxmox GUI sorts the new IPSET rules.

 

[SamTzu]

I got this to work using daily cron job.

root@vm2401:~# cat /root/bin/banned2proxmox.sh

#!/bin/bash
#

# Sync fail2ban log files from client servers
rsync -a root@vm1.ic4.eu:/var/log/fail2ban.log /root/bin/fail2ban-vm1.log
rsync -a root@vm2.ic4.eu:/var/log/fail2ban.log /root/bin/fail2ban-vm2.log

# Clean up the logs and only show IP addressess
zgrep -h "Ban " /root/bin/fail2* | awk '{print $NF}' | sort | sort -n -r | tail -100 > /root/bin/banned.list

# Remove duplicates and unwanted characters from the IP list and copy it to the end of cluster.fw
## Using ISO date as IPSET name does not work... yet. So we remove unwanted characters.
echo "" > /root/bin/daily.list
echo "[IPSET Stardate$(date -I)]" |sed 's/[-]//g' >> /root/bin/daily.list

# Copy banned list after daily.list
sort /root/bin/banned.list | uniq -u >> /root/bin/daily.list

# Copy daily.list to the bottom of cluster.fw
cat /root/bin/daily.list >> /etc/pve/firewall/cluster.fw

 

[Mecanik]

Two questions:

- What is "client servers"?
- Why would you do this in the first place?

Thanks

 

[Tmanok]

Two questions:

- What is "client servers"?
- Why would you do this in the first place?

Thanks

Perhaps if you don't have an enterprise firewall and you either want a honeypot vm that sits out on the open to proactively catch crawlers and then ban them cluster-wide or you have many servers that are all receiving malicious activity and want to sort them uniquely.

Shouldn't those IPs be coming from the Fail2ban jail lists and not the standard logs? Seems a little too paranoid and possibly eroneous in case you or an end user accidentally type their password in to something twice... Then you're perma-banned from the whole cluster.

Cheers,

Tmanok

 

[SamTzu]

Actually I'm using Proxmox FireWall's rather than "Enterprise Firewall" for many reasons.
Most importantant is the cluster and the flexibility it provides. It's really simple and scalable. It's client friendly (LXC's are managed by clients themselves.) No need to write a ticket and wait a few days to fix simple problems.
I would like to see some FW plugins though. Inter action with other FW like systems like fail2ban.