fail2ban with nftables

Kernels & Hardware, configuring network, installing services

fail2ban with nftables

Postby hbauer » 2020-08-24 07:27

I have a Debian 9 server with where I had a working combination of iptables with fail2ban up and running. After successfully migrating the iptables part to nftables I struggle getting fail2ban working as before.

Has somebody been successful with this https://wiki.meurisse.org/wiki/Fail2Ban document? Any other hints for a howto?
hbauer
 
Posts: 30
Joined: 2015-10-26 15:38

Re: fail2ban with nftables

Postby cuckooflew » 2020-08-24 08:08

all though it may have been a good one, look at the date:
This page was last modified on 25 October 2016, at 10:41.

Things have changed, I am sure.
Maybe try https://wiki.debian.org/nftables and https://wiki.archlinux.org/index.php/Fail2ban
I don't know anything about the current Fail2ban myself, and the Debian wiki does not seem to have anything, but some one else here might have some experience with it.
Please Read What we expect you have already Done
Search Engines know a lot, and
"If God had wanted computers to work all the time, He wouldn't have invented RESET buttons"
and
Just say NO to help vampires!
cuckooflew
 
Posts: 683
Joined: 2018-05-10 19:34
Location: Some where out west

Re: fail2ban with nftables

Postby zenlord » 2020-09-02 13:37

I have successfully set up fail2ban with nftables on Debian Buster.

The most important hurdle that I was able to overcome, is described here: viewtopic.php?f=5&t=146805&p=724148&hilit=fail2ban#p724150
(newer versions of fail2ban have solved certain bugs, but it is not sure whether the above is a bug or not).

If you can share more info on what is not working for you, then I can maybe help.

Vincent
zenlord
 
Posts: 77
Joined: 2009-06-17 15:23

Re: fail2ban with nftables

Postby reinob » 2020-09-02 17:22

FWIW I use fail2ban with debian buster, but using a custom action (banaction = local_block), where my local_block.conf calls a script (at /usr/local/sbin/fail2ban_action.sh), which itself does this (the first argument, $1, is either "add" or "delete").

Code: Select all
#!/bin/sh

nft $1 element inet filter fail2ban { $2 } 2>&1
exit 0


In my nftables.conf I have a set called "fail2ban", and the input chain has "ip saddr @fail2ban drop".

Of course this blocks the IP as a whole, thus like nftables-allports.conf, but has the benefit of being easy to modify (I just need to modify /usr/local/sbin/fail2ban_action.sh), e.g. if you want to block the IP at some other server (a separate firewall, etc.)
reinob
 
Posts: 819
Joined: 2014-06-30 11:42


Return to System configuration

Who is online

Users browsing this forum: No registered users and 14 guests

fashionable