So fail2ban was discussed in the OSL tonight


(Jared Busch) #1

Regarding the Fail2ban conversation in OSL tonight.

There are two versions native to SNG7
What is so special about 0.8?


(Yois) #2

So I was not there, but I’ve dealt with this extensively in my own dev environment.

The bundled 0.8.14 version with SNG7 had customized jail configs meant for FreePBX. 0.11.1 in the el7 repo dies not. The FreePBX.sng7 package has a requirement for the 0.8.14 version and will not allow an upgrade (for good reason).

I repackaged the customized jails with 0.11.1 and posted it up on JIRA, and is now sitting in Sangoma’s lap to do something with it.


(Sam Shomi) #3

FPBX does not recognize newer versions of fail2ban at all. Shows not running in the GUI when it is.

0.8.14 of fail2ban is really old and doesn’t use a database, so it really loads up a system when the log files get big. When you reboot and the log files are really big it could be at 100% CPU for several minutes while fail2ban scans the log files.


(Yois) #4

I have a JIRA open for this too and the fix is simple, but it’s in Sysadmin so we just need to wait.


#5

Any reason besides needing to make a deadline? Were there issues with the CentOS 7 epel version at the time? That would be a good reason, but IIRC, CentOS7 was already 2-3 years old when SNG7 was born.

Admittedly, they had to bridge the CentOS6 to CentOS7 transition, and I can see the value of having the FBPX version locked as a known entity.

But SNG7 should have used the current epel version it’s baseline, even if locked down inside Sangoma’s repo. Seems the conditional logic to support either version would be pretty simple if you have it locked to two versions.

At the time I’m sure it seemed OK, something to go back and fix later, “we need to get it out the door.” Four or five years later it seems foolish.

I’ve been guilty of the same thing, but that doesn’t make it right, and usually comes back to bite you in the …


#6

I doubt anything other than it’s what CentOS6 used, and everything was already coded for.


(Yois) #7

The good reason is that the jails are configured in the RPM. The el7 package will remove the jails.

Yes, using 0.8 because all the Sangoma staff that write the original RPM are gone is unacceptable. What’s even more infuriating is that I have an updated RPM that works and the project maintainers don’t seem to care.


(Simon Telephonics) #8

(Naive question) Wouldn’t it be more reasonable to have this done by the firewall module?


(Yois) #9

Because Fail2Ban is controlled by Intrusion Detection which is a Sysadmin thing, not a Firewall thing (which is dumb and should be reviewed, as previously discussed in these forums)

Also, attempting to modify the jails from within the modules has proven to be bug riddled, as the current “fail2ban not starting debacle” has shown us these past few months WITH ALMOST CONPLETE SILENCE FROM SANGOMA.


#10

I have posted this before , but there is an apparently ‘little known fact’ that in fail2ban’s jail.conf is an option

# Specify chain where jumps would need to be added in ban-actions expecting parameter chain
chain = <known/chain>

I believe that if that was set to a known chain (that any firewall would create in the right place), much of this hoo-hah could be resolved (IWFM) and your firewall no longer need to fight with fail2ban or vice versa, all rules could remain ‘well ordered’ and the ‘firewall’ could leave that chain in place if it wanted to when stopped. leaving F2B working.


#11

Undoubtedly.

But the firewall module is an odd fellow. It’s the only OSS system level component. Probably because they thought folks would want to see it to trust it.


(Simon Telephonics) #12

My sense is that the community should not be touching the firewall module, specifically because of how it is tightly coupled with sysadmin. Troubleshooting and debugging is many times harder when you are working against a black box. I say this as a fellow contributor and one who appreciates your efforts, but the arrangement really holds us back from working on this part of the code.


#13

Always thought that was the correct approach, and have said so multiple times here.

Have also said FreePBX 16 is the right time to do it. But the “get it out the door” mentality will probably win out.


(Yois) #14

So far none of the problems I’m hearing have anything to do with the firewall module. For the purpose of reiteration - Fail2Ban is not controlled, enabled, disabled, mutilated, or otherwise modified by the firewall module. The only changes made were actually to PREVENT the firewall module from breaking fail2ban.

This entire thread is pointing at Sysadmin, not Firewall.


(Simon Telephonics) #15

Pardon my confusion. . .

You’re saying they are not related (correct, technically, even though both are in the core business of modifying iptables) and yet someone wants to put them together on the same screen and call them all “Firewall”. So it is confusing.


(Yois) #16

Responsive firewall is not based on Fail2ban - it uses xt_recent and counts packets.
See here for the code that makes RFW work:
Source of Iptables.class.php - firewall - FreePBX GIT


(Simon Telephonics) #17

The screen I showed is not only responsive firewall.

It is RFW, “services” (standard layer 4 firewall stuff, ordinary iptables) and fail2ban.

I thought it was a firewall update that caused the fail2ban breakage.

If not then what was the breaking change that caused fail2ban not to start? (still)


(Yois) #18

The fail2ban side is a transplant from Sysadmin when they moved intrusion detection over here. The nuts and bolts of the code still reside in Sysadmin, just the GUI window was moved over.

Starting somewheres around version .66, Sysadmin added 2 jails to Fail2Ban - one for Apache, and one for Zulu. The code to create the jail config files is not reliable and many times the files are not generated. Pinging @danardf


(Simon Telephonics) #19

Thanks for the clarification. This makes sense to me now.


#20

I think the better option would be to divorce F2B from sysadmin completely, moving all F2B code to the firewall module. Anything iptables should be in one spot. The firewall would be much less than it is now without the community.

Other than the F2B stuff, the only thing firewall interacts with sysdamin is reading the port assignments (and needing it for hook support).

RPM and version checks and such can be left with sysadmin for the distro.

If we ever get non-distro hook support, non-distro users might really move it forward.