[Dxspider-support] Lockout a user and fail2ban

Wed May 13 16:17:59 CEST 2020

Hi,

For some time I was thinking about the possibility of locking IPs, and
reading the comments on the mailing list I have encouraged myself to do
this little test that seems to work well.

I pass it in case it could be useful to someone, I think it can be
optimized, I am a simple learner in perl :-)

Kin, EA3CV
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.tobit.co.uk/pipermail/dxspider-support/attachments/20200513/ea1231c8/attachment-0001.htm>
-------------- next part --------------
I have modified the set and unset lockout.pl scripts to add IP lock/unlock functionality using fail2ban.
It is implemented in Debian/Ubuntu.

Step to detail its implementation:

1. Create a new jail for DXSpider

root at ea3cv-cluster3:~# cd /etc/fail2ban/

If the jail.local file does not exist, we create it:

nano jail.local

We will add:

[dxspider]
enabled  = true
filter   = dxspider
action   = iptables[name=DXSPIDER, port="7300", protocol=tcp]
logpath  = /var/log/dxspider.log
bantime  = -1
maxretry = 2

If the jail.local file already exists, just add the above.

2. We create a dummy filter

root at ea3cv-cluster3:~# cd /etc/fail2ban/filter.d

nano dxspider.conf

[Definition]
failregex = ^\[\w{1,3}.\w{1,3}.\d{1,2}.\d{1,2}:\d{1,2}:\d{1,2} \d{1,4}. \[error] \[client.<HOST>].File does not exist:.{1,40}roundcube.{1,200}
ignoreregex =

3. We create a dummy log file

root at ea3cv-cluster3:~# touch /var/log/dxspider.log

4. We restart the service

root at ea3cv-cluster3:~# service fail2ban restart

5. We modified sudo so that it can execute IP locked/unlocked commands

root at ea3cv-cluster3:~# cd /etc/sudoers.d

root at ea3cv-cluster3:~# nano sysop

########################################
# Security policy for user "sysop"     #
# Only commands are allowed to run:    #
#  fail2ban-client                     #
########################################

#### CONFIGURACION GLOBAL

# Alias to define the server hostname
Host_Alias SERVER = localhost, ea3cv-cluster3

# Default setting for passwords
Defaults passwd_tries = 3, passwd_timeout = 5

# Default directory and file mask
Defaults at SERVER umask = 0022

# Users

# Alias para definir al usuario "pepe"
User_Alias USR_SYSOP = sysop

# Commands

# Aliases to define the commands
Cmnd_Alias CMD_FAIL2BAN_CLIENT = /usr/bin/fail2ban-client

# Rules
USR_SYSOP SERVER = NOPASSWD:CMD_FAIL2BAN_CLIENT

Note: The variable "Host_Alias SERVER" must be changed according to the content of the hostname of the machine.

We will execute the command:

root at ea3cv-cluster3:~# chmod 440 *

6. In local_cmd/set we will copy the file set_lockout.pl as lockout.pl

7. In local_cmd/unset we will copy the file unset_lockout.pl as lockout.pl

With the iptables command we can see how when executing set/lockout XX0XYZ with the IP address 192.168.1.36, it will appear in f2b-DXSPIDER

root at ea3cv-cluster3:~# iptables -nvL

Chain f2b-DXSPIDER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    6   268 REJECT     all  --  *      *       192.168.1.36         0.0.0.0/0            reject-with icmp-port-unreachable
   94  3862 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Ready to go!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: set_lockout.pl
Type: application/x-perl
Size: 1304 bytes
Desc: not available
URL: <https://mailman.tobit.co.uk/pipermail/dxspider-support/attachments/20200513/ea1231c8/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: unset_lockout.pl
Type: application/x-perl
Size: 1394 bytes
Desc: not available
URL: <https://mailman.tobit.co.uk/pipermail/dxspider-support/attachments/20200513/ea1231c8/attachment-0003.bin>