Fail2ban, responsive firewall, intrusion detection..... oh my!

FreePBX Security
1

I am hoping to get a bit of clarification on how Fail2ban, Intrusion Detection and the responsive firewall are related.

My understanding is that the settings under “Intrusion Detection” are simply a way of setting basic Fail2ban parameters and that the Responsive Firewall functionality is a completely separate feature.

Right now I have the intrusion settings fairly tight with max number of failed logins set to 3. However I regularly get alerts from Fail2ban about banned IP’s which show anywhere from 3 to 11 failed login attempts. At first glance this appears to indicate that the “Intrusion Detection” settings are not being completely respected.

My thought is that some of the “Fail2Ban” alerts are actually being generated by the Responsive Firewall which is perhaps not as rigid in it response to failed login attempts. But again I am not completely clear on how these services are interrelated. Any thoughts or clarification about how these services relate to each other and how to explain the variation in failed logins before banning would be appreciated.

2

iptables intercepts all network traffic and forces it to transit its rules .

fail2ban is a set of rules and chains ( a set of rules) , as is any other iptables based ‘firewall’ like a ‘responsive firewall’ , any process with sufficient privilege can -A (add) or -I (insert ) (and otherwise mess with :wink: ) any rule anywhere, at any point in time in any part of iptables’ rules.

If iptables is running, you can inspect the current traffic filter with iptables -L -v -n|less , that way you can see how you have prioritized your process’ activities and what the end result was, but only exactly at that point in time you pressed enter on it.

3

getting more than what you expected ‘hits’ before a ban is because depending on fail2ban’s ‘backend’ it often can’t keep up with reading the logs, the publisher recommends you install and use pyinotify for speediest effect

(they also recommend that you use a currently supported version of fail2ban , but that’s a different story :wink: )