Saturday, November 14, 2009

fail2ban vuurmuur plugin

I made a decent vuurmuur firewall plugin(action) for fail2ban. I am debugging it, because it takes a good minute to stop the service... I will update this post when I figure out what the heck is taking so long. I am also going to submit this to fail2ban for possible inclusion.

I opted to go with the default behavior of fail2ban, which is to remove all bans on a restart. It is trivial to hardcode the network, and groups, if you don't want fail2ban messing with your vuurmuur structure or removing bans when it restarts.

place this in /etc/fail2ban/action.d/vuurmuur.conf
# Author: Nick Shobe
#

[Definition]

# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
# Create a zone in vuurmuur called fail2ban... this script will add the "" network and all the hosts... you can use a custom rule in vuurmuur to block ports by network
# You can make multiple rules that block specific ports if you don't want to globally block an ip... Do this like any customized rules.
actionstart = vuurmuur_script --create --network .fail2ban
vuurmuur_script --modify --network .fail2ban --variable ACTIVE --set Yes
vuurmuur_script --modify --network .fail2ban --variable NETWORK --set 0.0.0.0
vuurmuur_script --modify --network .fail2ban --variable NETMASK --set 0.0.0.0
append=''
for int in `vuurmuur_script --list --interface all`; do vuurmuur_script --modify --network .fail2ban $append --variable INTERFACE --set $int ; append='--append' ; done
vuurmuur_script --create --group ..fail2ban
vuurmuur_script --modify --group ..fail2ban --variable ACTIVE --set Yes

# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = for group in `vuurmuur_script --list --group .fail2ban`; do vuurmuur_script --delete --group $group; done
for host in `vuurmuur_script --list --host .fail2ban`; do vuurmuur_script --delete --host $host; done
vuurmuur_script --delete --network .fail2ban
vuurmuur_script --create --network .fail2ban
vuurmuur_script --modify --network .fail2ban --variable ACTIVE --set Yes
vuurmuur_script --modify --network .fail2ban --variable NETWORK --set 0.0.0.0
vuurmuur_script --modify --network .fail2ban --variable NETMASK --set 0.0.0.0
append=''
for int in `vuurmuur_script --list --interface all`; do vuurmuur_script --modify --network .fail2ban $append --variable INTERFACE --set $int ; append='--append' ; done
vuurmuur_script --create --group ..fail2ban
vuurmuur_script --modify --group ..fail2ban --variable ACTIVE --set Yes
vuurmuur_script --reload

# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = vuurmuur_script --list --host .fail2ban | tr '-' '.'

# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: IP address
# number of failures
#
Use this just like a normal iptables action file, only consider it is using vuurmuur. In vuurmuur, create a rule that uses the "blockedhosts" group under the appropriate network to block the appropriate traffic. Feel free to contact me if you have any questions.

2 comments:

  1. Please can you add this as a file for download as the html seems to have screwed it up lots of invalid '.' 's

    ReplyDelete
  2. You may find it "well formated (with < name > and < group > tag)" here: http://pastebin.com/zecMmBPK

    ReplyDelete