Re: git: d0fcbc6c271f - main - security/py-fail2ban: Add ipfilter ippool action

From: Cy Schubert <Cy.Schubert_at_cschubert.com>
Date: Tue, 04 Oct 2022 21:02:58 UTC
In message <202210041513.294FD2Tb059511@gitrepo.freebsd.org>, Cy Schubert 
write
s:
> The branch main has been updated by cy:
>
> URL: https://cgit.FreeBSD.org/ports/commit/?id=d0fcbc6c271fe89343642260f36bb5
> 842177f75d
>
> commit d0fcbc6c271fe89343642260f36bb5842177f75d
> Author:     Cy Schubert <cy@FreeBSD.org>
> AuthorDate: 2022-10-04 14:55:17 +0000
> Commit:     Cy Schubert <cy@FreeBSD.org>
> CommitDate: 2022-10-04 15:06:21 +0000
>
>     security/py-fail2ban: Add ipfilter ippool action
>     
>     Rather than add a block rule for each banned IP, add a blanket block rule
>     that references an ipfilter ippool named fail2ban. Maintain the IPs in
>     the ippool reducing the need to search a large list of rules. An ipfilter
>     tree pool is used.
> ---
>  security/py-fail2ban/Makefile                      |  2 +-
>  .../files/patch-config_action.d_ippool.conf        | 58 ++++++++++++++++++++
> ++
>  2 files changed, 59 insertions(+), 1 deletion(-)
>
> diff --git a/security/py-fail2ban/Makefile b/security/py-fail2ban/Makefile
> index f292316824ee..77cada9444c0 100644
> --- a/security/py-fail2ban/Makefile
> +++ b/security/py-fail2ban/Makefile
> @@ -1,6 +1,6 @@
>  PORTNAME=	fail2ban
>  DISTVERSION=	1.0.1
> -PORTREVISION=	1
> +PORTREVISION=	2
>  CATEGORIES=	security python
>  PKGNAMEPREFIX=	${PYTHON_PKGNAMEPREFIX}
>  
> diff --git a/security/py-fail2ban/files/patch-config_action.d_ippool.conf b/s
> ecurity/py-fail2ban/files/patch-config_action.d_ippool.conf
> new file mode 100644
> index 000000000000..74857fd6caac
> --- /dev/null
> +++ b/security/py-fail2ban/files/patch-config_action.d_ippool.conf
> @@ -0,0 +1,58 @@
> +--- config/action.d/ippool.conf.orig	2022-10-04 07:49:51.467484000 -0700
> ++++ config/action.d/ippool.conf	2022-10-04 07:49:54.523077000 -0700
> +@@ -0,0 +1,55 @@
> ++# Fail2Ban configuration file
> ++#
> ++# FreeBSD ipfilter (ippool command) ban/unban
> ++#
> ++# Author: Cy Schubert <cy@FreeBSD.org>
> ++#
> ++#
> ++
> ++[Definition]
> ++
> ++# Option:  actionstart
> ++# Notes.:  command executed on demand at the first ban (or at the start of 
> Fail2Ban if actionstart_on_demand is set to false).
> ++# Values:  CMD
> ++#
> ++# enable IPF if not already enabled and initialize fail2ban pool
> ++actionstart = /sbin/ipf -E
> ++              /sbin/ippool -A -t tree -m fail2ban
> ++              echo block in log quick from pool/fail2ban to any | /sbin/ipf
>  -f -
> ++
> ++# Option:  actionstop
> ++# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
> ++# Values:  CMD
> ++#
> ++# don't disable IPF with "/sbin/ipf -D", there may be other filters in use
> ++actionstop = echo block in log quick from pool/fail2ban to any | /sbin/ipf 
> -r -f -
> ++             /sbin/ippool -R -t tree -m fail2ban
> ++
> ++
> ++# Option:  actioncheck
> ++# Notes.:  command executed once before each actionban command
> ++# Values:  CMD
> ++#
> ++actioncheck =
> ++
> ++
> ++# Option:  actionban
> ++# Notes.:  command executed when banning an IP. Take care that the
> ++#          command is executed with Fail2Ban user rights.
> ++# Tags:    See jail.conf(5) man page
> ++# Values:  CMD
> ++#
> ++actionban = ippool -a -t tree -m fail2ban <ip>/32
> ++
> ++
> ++# Option:  actionunban
> ++# Notes.:  command executed when unbanning an IP. Take care that the
> ++#          command is executed with Fail2Ban user rights.
> ++# Tags:    See jail.conf(5) man page
> ++# Values:  CMD
> ++#
> ++# note -r option used to remove matching rule
> ++# actionunban = ippool -r -t tree -m fail2ban <ip>/32
> ++
> ++[Init]
> ++
>

Just as the other actions, like ipfilter, ipfw, pf, iptables, etc., 
placement of the rules the ippool action uses within the larger picture is 
as important important as the rule itself. This of course cannot be done 
strictly through a dumb script. Ideally one would remove actionstop and 
actionstart, manually place a new rule before any other rules which allow 
general access to service, but after any "safety valve" rules -- you don't 
want to lock yourself out. This offers better protection in a custom 
environment. But in an environment which is entirely open, this default 
will work.

This will be pushed up to our upstream.


-- 
Cheers,
Cy Schubert <Cy.Schubert@cschubert.com>
FreeBSD UNIX:  <cy@FreeBSD.org>   Web:  http://www.FreeBSD.org
NTP:           <cy@nwtime.org>    Web:  https://nwtime.org

			e^(i*pi)+1=0