Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

custom_jail overrides default filters or correct way to change just logpath in default jail #157

Open
amateo opened this issue Aug 25, 2020 · 2 comments
Open

custom_jail overrides default filters or correct way to change just logpath in default jail #157

amateo opened this issue Aug 25, 2020 · 2 comments

Comments

@amateo
Copy link

amateo commented Aug 25, 2020

Hi,

I want to configure a ssh jail in my system. The only parameter I need to change from default configuration is the logpath and the action. What is the correct way to do it?

If I use a custom_jail like:

enabled: true
logpath: '/var/log/messages'
filter: 'sshd'
action: 'dummy'

then all predefined filters for sshd are deleted.

And I wouldn't like to duplicate the default ssh filters in my hiera.

Where is the correct way to do this? Is it possible?
@decibelhertz
Copy link

I'm having this issue, too. EG. I want to change logpath to a glob and affect the bantime for my HTTP(S) service to be different than my SSHD bantime. Further, polling mode works with less complaints than journalmatch for that filter, so I want to use that mode but systemd for sshd.

fail2ban::custom_jails:
  'nginx-botsearch':
    enabled: true
    backend: polling
    bantime: 3600
    port: http,https
    logpath: '/var/log/nginx/*error.log'

However, this destroys the regex data in /etc/fail2ban.d/nginx-botsearch. I can work around this with a differently named jail, EG

fail2ban::custom_jails:
  '10-nginx-botsearch':
    enabled: true
    backend: polling
    bantime: 3600
    port: http,https
    filter: nginx-botsearch                                                            
    logpath: '/var/log/nginx/*error.log'

This is kludgy as is creates an unused filter file, but the jail doesn't load it, rather the desired filter and I am able to function.

Alternatively, I can the regex data in YAML, but will note that there are a few problems with this:

  1. Declaring regex in YAML requires a LOT confusing and/or extraneous escape characters, making maintenance a nightmare
  2. If the OS-managed package updates the filter, Puppet destroys those updates. This is not bad if I want that... but I want the choice
  3. There are parameters in the OS-provided filter I cannot currently express in Puppet, eg before, so while I can do that, I destroy some package setup.

EG

fail2ban::custom_jails:
  'nginx-botsearch':
    enabled: true
    backend: polling
    bantime: 3600
    port: http,https
    filter: nginx-botsearch
    # yamllint disable rule:line-length
    filter_datepattern: "{^LN-BEG}%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\\s*%%z)?\n            ^[^\\[]*\\[({DATE})\n            {^LN-BEG}"
    filter_failregex: "^<HOST> \\- \\S+ \\[\\] \\\"(GET|POST|HEAD) \\/<block> \\S+\\\" 404 .+$\n            ^ \\[error\\] \\d+#\\d+: \\*\\d+ (\\S+ )?\\\"\\S+\\\" (failed|is not found) \\(2\\: No such file or directory\\), client\\: <HOST>\\, server\\: \\S*\\, request: \\\"(GET|POST|HEAD) \\/<block> \\S+\\\"\\, .*?$"
    logpath: '/var/log/nginx/*error.log'

I will point out that I stumbled upon all of this trying to load RedHat sshd-ddos which now has modes for SSH, and no longer ships with a specific sshd-ddos filter. My solution, as advised by the packaged-provided commentary:

fail2ban::custom_jails:
  '01-sshd-ddos':
    enabled: true
    backend: systemd
    port: 'ssh'
    logpath: '%(sshd_log)s'
    filter: 'sshd[mode=ddos]'

My opinion is that defined type at https://github.com/voxpupuli/puppet-fail2ban/blob/master/manifests/jail.pp has some assumptions that create these problems and can be corrected.

My suggestion is to:

  1. Create a custom defined type, fail2ban::filter, instead of managing filters and jails in fail2ban::jail. This doesn't necessarily affect function, but would/could allow cleaner coding and logic for the module.
  2. Create a Boolean in fail2ban::jail, $manage_filter that allows turning off/on managing the filter.d file in fail2ban::jail

While I am here, I will also mention that I think fail2ban::jail should also have an $ensure variable so that I can clean up my mistaken/old files in jail.d. Right now I have to disable anything I've tried and/or remove legacy files outside of the module.

I am willing to do a PR if you all agree with the logic.

@decibelhertz decibelhertz mentioned this issue Dec 6, 2020
Closed
@decibelhertz
Copy link

I realized some very quick-n-dirty edits address at least 80% of what's discussed here, so created #161

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@amateo @decibelhertz