Ubuntu
fail2ban package

fail2ban default config assumes iptables is installed

Bug #234122 reported by Andrew Oakley
16
This bug affects 1 person
Affects Status Importance Assigned to Milestone
fail2ban (Ubuntu)
Won't Fix
Medium
Unassigned
Declined for Hardy by David Futcher
iptables (Ubuntu)
Invalid
Undecided
Unassigned
Declined for Hardy by David Futcher

Bug Description

fail2ban correctly does not depend on iptables , since it is possible to configure it to use only hosts.deny by specifying the banaction=hostsdeny directive in the /etc/fail2ban/jail.conf file.

Unfortunately the default jail.conf supplied with fail2ban 0.8.2-2 in Hardy DOES assume iptables is installed, and has banaction=iptables-multiport as the default action. This is inherited by the SSH ruleset which is enabled by default.

Unless the user is particularly vigilant about watching the log files, there is a risk that they will assume fail2ban is now protecting their system against SSH brute force & dictionary attacks, when in fact it is doing nothing more than logging error messages (complaining about the missing iptables) whilst the user's system remains unprotected.

This is particularly pertinent to Ubuntu given its traditional attitude of favouring closed ports over firewalls.

The /etc/fail2ban/jail.conf supplied by default should be re-written for Ubuntu such that the default banaction is hostsdeny .

[DEFAULT]
...
#banaction = iptables-multiport
banaction = hostsdeny

Note: The attached patch is MY FIRST ATTEMPT AT WRITING A PATCH. If I've got it wrong, please help me learn how to get it right (or just point me at a better howto).

Revision history for this message
Andrew Oakley (andrew-aoakley) wrote :
Revision history for this message
Charlie Kravetz (cjkgeek) wrote :

Thanks for reporting this bug and any supporting documentation. Since this bug has enough information provided for a developer to begin work, I'm going to mark it as confirmed and let them handle it from here. Thanks for taking the time to make Ubuntu better and for providing the patch!

Changed in fail2ban:
importance: Undecided → Medium
status: New → Triaged
Revision history for this message
Mitch Towner (kermiac) wrote :

Invalidated wrongly set task.

@ Fail2Ban: Please do not add new tasks to bug reports & nominate for release without commenting to advise why you have done this.
Thanks in advance!

Changed in iptables (Ubuntu):
status: New → Invalid
Revision history for this message
David Futcher (bobbo) wrote :

I don't think this is the right direction to be going in to fix this (to be honest I'm not sure if it's even a bug, really). fail2ban already Recommends iptables and recommended packages are installed by default in recent version of Ubuntu. It's going to be a fairly rare edge-case where this is actually an issue and iptables is not present. However, I don't know what other people's opinions are on this issue, so I'll leave it open for now.

tags: added: patch-rejected
removed: patch
Revision history for this message
David Futcher (bobbo) wrote :

Don't take the above comment too harshly, I just think this needs to be discussed before it is implemented. I think something like a debconf option when installing may be a better idea.

Can anyone else give their opinions on this?

Revision history for this message
Dave Walker (davewalker) wrote :

@Andrew, thank you kindly or the patch. I agree with David that being in Recommends is enough to ensure that it works in the default (and most) installations.

This only causes an issue if the user:
  * uninstalled iptables
  * specified --no-recomends

I think both of these situations are an edge case in themselves. If a user has gone to that much effort to customise their system, i do not feel it is unreasonable for the default fail2ban configuration to require local editing.

Thanks again Andrew.

Changed in fail2ban (Ubuntu):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.