| Summary: | Fail2ban updated to 1.0.1 improves stability | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | christian barranco <chb0> |
| Component: | RPM Packages | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, guillaume.royer, mageia, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | fail2ban-0.11.2-1.1.mga8.src.rpm | CVE: | |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 30952 | ||
|
Description
christian barranco
2022-10-01 19:52:01 CEST
ADVISORY NOTICE PROPOSAL ======================== New major version of fail2ban with increased performance, stability, filter and action updates. Description Fail2ban 1.0.1 increases performance, stability, filter and action updates. See the long ChangeLog for more information. References https://bugs.mageia.org/show_bug.cgi?id=30922 https://github.com/fail2ban/fail2ban/releases/tag/1.0.1 https://github.com/fail2ban/fail2ban/blob/1.0.1/ChangeLog SRPMS 8/core fail2ban-1.0.1-1.mga8.src.rpm PROVIDED PACKAGES: ================= NOARCH fail2ban-1.0.1-1.mga8.noarch.rpm
christian barranco
2022-10-02 16:27:09 CEST
CC:
(none) =>
sysadmin-bugs Ready for QA.
A PROPOSAL FOR TESTING
======================
You need 2 machines. One playing the server role and one playing the client role.
Fail2ban is to be installed on the server.
1/open a console on the machine playing the server role
su -p
urpmi openssh-server
urpmi fai2ban
touch /var/log/messages
edit /etc/fail2ban/jail.d/01-ssh.local and uncomment all the lines from [sshd] included until the end
systemctl start sshd
systemctl start fail2ban
systemctl status sshd # check service is active
systemctl status fail2ban # check service is active
fail2ban-client status
shoud return:
Status
|- Number of jail: 1
`- Jail list: sshd
2/find the server local IP via the network applet or ifconfig or whatever
3/ Move to the machine playing the client role. Open a console.
ssh dummy@server_local_ip
Strike Enter until you are disconnected because of Too many authentication failures
If you try again ssh dummy@server_local_ip, you should not even get the prompt to enter the password. It will just wait for connection timed out.
4/come back to the server console, where you should still be connected as root
Run still as root: fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 1
| |- Total failed: 11
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: server_local_ip
Run still as root: shorewall show bl
It will confirm the Firewall is blocking the banned IP
Shorewall 5.2.8 blacklist chains at cbct-desk - dim. 02 oct. 2022 16:20:59 CEST
Chain dynamic (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * server_local_ip 0.0.0.0/0
To unban: fail2ban-client set sshd unbanip server_local_ip
5/Note: if you have a Mail Transport Agent like postfix installed on the server, you will also receive an email from Fail2ban informing about the banned IP.
Installed and tested without issues.
System: Mageia 8, x86_64, AMD CPU.
Tested on a workstation (and also a server) with Apache and sshd running with internet access. Other IP traffic is on a wireguard VPN.
Have fail2ban configured with "action = iptables-ipset-proto6-allports" which is different from the default.
# uname -a
Linux jupiter 5.19.7-desktop-1.mga8 #1 SMP PREEMPT_DYNAMIC Mon Sep 5 18:45:50 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
#
#
# rpm -q fail2ban
fail2ban-1.0.1-1.mga8
#
#
# fail2ban-client status
Status
|- Number of jail: 2
`- Jail list: apache-auth, sshd
# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 28
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 1240
|- Total banned: 1523
`- Banned IP list: <SNIP long list of IPv4>
#
#
# iptables --numeric --list
Chain INPUT (policy DROP)
target prot opt source destination
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 match-set f2b-sshd src reject-with icmp-port-unreachable
<SNIP unrelated rules>
#
#
# systemctl status fail2ban.service
● fail2ban.service - fail2ban attack scanner
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; disabled; vendor preset: disabled)
Active: active (running) since Mon 2022-10-03 12:00:47 WEST; 3h 26min ago
TriggeredBy: ● fail2ban.timer
Process: 19522 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=0/SUCCESS)
Main PID: 19526 (fail2ban-server)
Tasks: 7 (limit: 37626)
Memory: 12.8M
CPU: 15.266s
CGroup: /system.slice/fail2ban.service
└─19526 /usr/bin/python3 /usr/bin/fail2ban-server --async -b -s /var/run/fail2ban/fail2ban.sock -p /run/fail2ban/fail2ban.pid -x --loglevel INFO --logtarget SYSLOG --syslogsocket auto
<SNIP log messages>CC:
(none) =>
mageia MGA8 64 VM LXQt
Installed and tested without issues. Tested with squid-f's procedure:
# systemctl status fail2ban
● fail2ban.service - fail2ban attack scanner
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; disabled; vendor preset: disabled)
Active: active (running) since Tue 2022-10-04 20:42:13 CEST; 11min ago
Process: 1997 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=0/SUCCESS)
Main PID: 2000 (fail2ban-server)
Tasks: 5 (limit: 3477)
Memory: 15.5M
CPU: 2.019s
CGroup: /system.slice/fail2ban.service
└─2000 /usr/bin/python3 /usr/bin/fail2ban-server --async -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x --loglevel INFO --logtarget /var/log/fail2ba>
oct. 04 20:42:12 localhost systemd[1]: Starting fail2ban attack scanner...
oct. 04 20:42:12 localhost fail2ban-client[1997]: 2022-10-04 20:42:12,936 fail2ban.configreader [1997]: WARNING 'allowipv6' not defined in 'Definition'. Using default one: 'auto'
oct. 04 20:42:13 localhost fail2ban-client[1997]: Server ready
oct. 04 20:42:13 localhost systemd[1]: Started fail2ban attack scanner.
# fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: sshd
# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 1
| |- Total failed: 11
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 192.168.1.5
# shorewall show bl
Shorewall 5.2.8 blacklist chains at localhost - mar. 04 oct. 2022 20:56:15 CEST
Chain dynamic (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 192.168.1.5 0.0.0.0/0
# fail2ban-client set sshd unbanip server my_IP
1
[root@localhost ~]# shorewall show bl
Shorewall 5.2.8 blacklist chains at localhost - mar. 04 oct. 2022 20:57:20 CEST
Chain dynamic (1 references)
pkts bytes target prot opt in out source destinationCC:
(none) =>
guillaume.royer Hi I think it is enough for x86 test. I don't think i586 would add a lot more. What else is required to push the update? Whiteboard:
(none) =>
MGA8-64-OK
Dave Hodgins
2022-10-08 20:08:00 CEST
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGAA-2022-0135.html Status:
NEW =>
RESOLVED
Marc Krämer
2022-10-19 12:57:53 CEST
Blocks:
(none) =>
30952 why did this update get validated? This package has breaking changes, was bleeding edge and did not fix any severe bugs! Why is this an update and not pushed via backports? It was a mistake. This should have been a backport, not an update. Now that it's done though, I don't see rolling back as an option as if I'm reading the changelog correctly that would require users to delete/recreate the database. |