Have fail2ban client and server on different machines

fail2ban

I was wondering if it was possible to have fail2ban clients on different machines and have a server on one machine communicating with all the clients?

Here's my situation: I have 4 servers and I'm using fail2ban to protect them. For now I have one client and one server installed per machine. I wonder if I could just have one client on each machine and have only one server total on one machine that would communicate with all clients. All the servers are running on CentOS and I'm using iptables to ban.

Do you have any idea on how to do that?

Best Answer

Theoretically it's possible. Whether or not it would be advisable do to this is another question. If you wanted to implement this, it would require a fair amount of customization of detection and action rules in fail2ban.

The basic idea would be this:

Have all of the "client" systems configured to send their syslogs to the "master" server. Fail2ban would run on this master and would watch the logs coming in from all the client machines. You'd need to configure separate filter and action rules for each client machine, ensuring that each matching rule only matches log entries for that specific server. Then for the action definitions, instead of having it insert iptables rules locally on the server, it would execute a remote iptables command on the client via ssh.

Related Solutions

Ubuntu – Any non-custom way to manage iptables with fail2ban and libvirt+kvm

This is really old but for people who search and find this, fail2ban and like a lot of other utilities are very configurable. You can change your fail2ban action files like iptables-multiport.conf to call iptables and create chains in the way you want it.

eg.

actionstart = iptables -N fail2ban-<name>
          iptables -A fail2ban-<name> -j RETURN
          iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>

This creates a rule smack bang in your INPUT chain which is kind of ugly and unmanageable, but you can quite easily put it in one of your own chains in your control. You can create an INPUT filter which then has chains to other filters for fail2ban to keep all it's stuff out of your INPUT chain as below.

actionstart = iptables -N fail2ban-<name>
          iptables -A fail2ban-<name> -j RETURN
          iptables -I INPUT-FAIL2BAN -p <protocol> -m multiport --dports <port> -j fail2ban-<name>

The same goes for libvirt or Xen where there are scripts that are called to do the work. Xen for instance uses /etc/xen/scripts which you'll find the network-bridge and others where iptables is called. Design it as you want.and worst case, change the code. I for one use fail2ban to modify a central firewall so all servers are protected which means iptables on the local machine doesn't show the rules anyway.

Security – Permanently and persistently ban an IP with fail2ban

Put the ban in your permanent iptables configuration file (possibly /etc/sysconfig/iptables).

Best Answer

Related Solutions

Ubuntu – Any non-custom way to manage iptables with fail2ban and libvirt+kvm

Security – Permanently and persistently ban an IP with fail2ban

Related Topic