Comments (8)
2533526 implements now new parameter ipsettype
to support setting of set type...
One can simply use this action instead (if the fail2ban version is at least v.1.0).
For instance:
# for multiport:
banaction = iptables-ipset[type=multiport, ipsettype=hash:net]
# for allports:
banaction = iptables-ipset[type=allports, ipsettype=hash:net]
Important: for action.d/firewallcmd-ipset.conf
old parameter ipsettype
initially added in #2620 for an ipset-backend renamed now to ipsetbackend
, because new parameter ipsettype
will be used for the real set type
from fail2ban.
Possibly related bug of firewalld:
What appears to happen when you try to put in something like 1.2.3.4/8
is that the entire address space attempts to be expanded.
# firewall-cmd --permanent --new-ipset=test --type=hash:ip
success
# firewall-cmd --permanent --ipset=test --add-entry=1.2.3.4/8
success
# firewall-cmd --reload
Error: COMMAND_FAILED: '/usr/sbin/ipset restore' failed: ipset v7.1: Error in line 3: Hash is full, cannot add more elements
source: https://bugzilla.redhat.com/show_bug.cgi?id=1777909
from fail2ban.
ipset v7.17: Hash is full, cannot add more elements
It is clearly a "bug" of ipset (or your action possibly), so my question is - why you're trying to post it here?
Anyway, it is clearly the restriction of itpset - the error simply means that the ipset elements limit is exceeded.
We have nothing to do with that.
However related to this article (did not verified that):
The ipset size is hardcoded in the Imunify360 source code and currently, it is equal to a 100K IPs limit.
So your attempt to increase it with maxelem 1000000
may fail.
However, I guess it may depend on kernel version or some kernel module...
By the way, I don't think you'll really ban 1M subnets... It is too heavy and looks superfluous for hash:net
.
hash:net seems to be ignored and the jail gets hash:ip instead) [would prefer this one jail to use hash:net for banning subnets in CIDR format
I don't think so. What do you see with ipset list f2b-manual
?
If I try it with your list, I see this after all:
# while read ip; do; echo "$ip"; fail2ban-client set manual banip "$ip"; done </tmp/net-list.txt
# ipset list f2b-manual
Name: f2b-manual
Type: hash:net
Revision: 7
Header: family inet hashsize 1024 maxelem 1000000 timeout 0 bucketsize 12 initval 0xa9941845
Size in memory: 7944
References: 0
Number of entries: 124
Members:
... a lot of subnets ...
If you mean fail2ban makes something wrong (e. g. with actionstart) please provide an excerpt for:
fail2ban-client -d | grep manual
from fail2ban.
If you previously changed
- actionstart = ipset -exist create <ipmset> hash:ip ...
+ actionstart = ipset -exist create <ipmset> hash:net ...
in the config, please ensure you restart (not just reload) fail2ban or the jail, in order to recreate the action and reban everything.
Without restart, the jail would hold previously created action (and therefore doesn't invoke actionstart, doesn't reban), so ipset may remain hash:ip
. And then indeed ipset would expand subnet to a lot of IPs.
So the solution could be:
?sudo? fail2ban-client restart manual
from fail2ban.
ipset list f2b-manual --terse
Name: f2b-manual
Type: hash:ip
Revision: 5
Header: family inet hashsize 1048576 maxelem 1000000 timeout 0 bucketsize 12 initval 0x142aae92
Size in memory: 46316208
References: 1
Number of entries: 1000000
fail2ban-client -d | grep manual
['add', 'manual', 'auto']
['set', 'manual', 'usedns', 'warn']
['set', 'manual', 'maxretry', 2]
['set', 'manual', 'maxmatches', 2]
['set', 'manual', 'findtime', '2h']
['set', 'manual', 'bantime', '-1']
['set', 'manual', 'bantime.overalljails', True]
['set', 'manual', 'ignorecommand', '']
['set', 'manual', 'logencoding', 'auto']
['set', 'manual', 'addaction', 'firewallcmd-ipset']
['multi-set', 'manual', 'action', 'firewallcmd-ipset', [['actionstart', 'ipset -exist create <ipmset> hash:ip timeout 0 maxelem 1000000 <familyopt>\nfirewall-cmd --direct --add-rule <family> filter INPUT_direct 0 -p tcp -m multiport --dports http,https -m set --match-set <ipmset> src -j REJECT --reject-with <rejecttype>'], ['actionstop', 'firewall-cmd --direct --remove-rule <family> filter INPUT_direct 0 -p tcp -m multiport --dports http,https -m set --match-set <ipmset> src -j REJECT --reject-with <rejecttype>\nipset flush <ipmset>\nipset destroy <ipmset>'], ['actionflush', 'ipset flush <ipmset>'], ['actionban', 'ipset -exist add <ipmset> <ip> timeout 0'], ['actionunban', 'ipset -exist del <ipmset> <ip>'], ['port', 'http,https'], ['protocol', 'tcp'], ['chain', '<known/chain>'], ['name', 'manual'], ['actname', 'firewallcmd-ipset'], ['family', 'ipv4'], ['zone', 'public'], ['service', 'ssh'], ['rejecttype', 'icmp-port-unreachable'], ['blocktype', 'REJECT --reject-with <rejecttype>'], ['rich-blocktype', "reject type='<rejecttype>'"], ['family?family=inet6', 'ipv6'], ['rejecttype?family=inet6', 'icmp6-port-unreachable'], ['default-ipsettime', '0'], ['ipsettime', '0'], ['timeout-bantime', '$([ "<bantime>" -le 2147483 ] && echo "<bantime>" || echo 0)'], ['ipsettype', 'ipset'], ['actiontype', '<multiport>'], ['allports', '-p <protocol>'], ['multiport', '-p <protocol> -m multiport --dports <port>'], ['ipmset', 'f2b-<name>'], ['familyopt', ''], ['firewalld_familyopt', ''], ['ipmset?family=inet6', 'f2b-<name>6'], ['familyopt?family=inet6', 'family inet6'], ['firewalld_familyopt?family=inet6', '--option=family=inet6']]]
['start', 'manual']
uname -v
Debian 6.1.90-1
Question:
Where can I find a support channel for fail2ban to ask questions or receive support for configurations?
from fail2ban.
'actionstart', 'ipset -exist create <ipmset> hash:ip ...
As you can see, the action config has still original type of set.
Unfortunately, we haven't currently a parameter for ipset-based actions to set the type of ipset only...
And setting of actionstart
in jail (as direct parameter of jail) would be not correct...
I don't know where you had set it, but there are basically only 3 possibilities at the moment:
- either to create a derivative action, including the action you want to use, and there overwrite
actionstart
or a part responsible for the ipset type inside corresponding section. And then set name of this action as new banaction for jail. - almost the same as above but make a duplicate of action, where you'd overwrite the needed stuff.
- or supply
actionstart
as parameter foraction
in the jail.
Written from mobile phone, so too unhandy to provide an example... Please ping me if you'd need one, I'll provide it later.
from fail2ban.
I set the directive
[Definition]
actionstart = ipset -exist create <ipmset> hash:net timeout <default-ipsettime> maxelem 1000000 <familyopt>
in the /etc/fail2ban/action.d/manual.local
I am unsure how to ping you, but an example would be very much appreciated if you have the time to offer one.
Thank you.
from fail2ban.
I set the directive ... in the /etc/fail2ban/action.d/manual.local
Well, this looks like 2 errors to me (if you did only that):
- the action missing everything else, because neither have an include to original action, nor other directives expected for work
- probably you did not set it as
banaction
in jail.
Ok, below is an example for stock iptables-ipset
, to rewrite this:
fail2ban/config/action.d/iptables-ipset.conf
Lines 27 to 28 in 304c3cd
in the action.d/manual.local
[INCLUDES]
before = iptables-ipset.conf
[Definition]
actionstart = ipset -exist create <ipmset> hash:net timeout <default-ipsettime> maxelem <maxelem> <familyopt>
<_ipt_add_rules>
(if your original action doesn't have <maxelem>
parameter, simply use 1000000 like you did, although I doubt you'd ever ban 1M subnets).
in the jail:
[manual]
enabled = true
banaction = manual
...
(for firewallcmd-ipset
action it would be similar: change the include and adjust ipset creation in related sections).
However a bit ugly is if tomorrow the original action would change in an incompatible way (e. g. _ipt_add_rules
doesn't exist anymore or actionstart
becomes more commands), this may fail after upgrade to newer version.
Alternative would be something like that:
in the action.d/manual.local
[INCLUDES]
before = iptables-ipset.conf
[Definition]
actionstart = ipset -exist create <ipmset> hash:net timeout <default-ipsettime> maxelem <maxelem> <familyopt>
%(known/actionstart)s
where it'd firstly create the set with your parameters and then evaluate original actionstart
, which also trying to create the set firstly (but would do nothing because of -exist
) but hereafter would evaluate further commands... and since actionstart
executes only once per ip-family, it looks like good workaround to me.
Important: don't forget to restart (not reload) the jail after all.
from fail2ban.
Related Issues (20)
- [BR]: ERROR Backend 'systemd' failed to initialize due to No module named 'distutils' HOT 2
- [FR]: endlessh HOT 7
- [RFE]: add ip-api.com info to fail2ban.log for jail members HOT 5
- [FR]: Fix Dropbear failregexes broken since 2020
- [RFE]: nftables ingress hook HOT 4
- [BR]: fail2ban not catching SASL LOGIN authentication failed in logs HOT 6
- [RFE]: Report hacker IP to Abuseipdb automatically HOT 1
- [FR]: postfix NOQUEUE: reject: CONNECT from unknown HOT 1
- [RFE]: Improving AbuseIPDB reporting HOT 3
- [FR]: SearxNG bot detection HOT 2
- [BR]: curl: (22) The requested URL returned error: 422 HOT 8
- Filter not banning HOT 6
- [BR]: THE WIKI IS OPEN TO EDIT, FIX THAT HOT 1
- [RFE]: Improved mail action and log action
- [FR]: Latest openssh changed how sshd deamon logs access failures - fail2ban stopped banning sshd logins HOT 4
- [BR]: fail2ban-server-1.0.1-2 update on RHEL 9 fails with several selinux dependency errors HOT 3
- [BR]: Failed during configuration: Have not found any log file for sshd jail HOT 1
- [FR]: Update the xarf action
- [FR]: Can you help me write the regex for this line : ... AH01630: client denied by server configuration ... HOT 1
- [BR]: Placeholder in action is filled incorrectly HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fail2ban.