fail2ban default config assumes iptables is installed
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
fail2ban (Ubuntu) |
Won't Fix
|
Medium
|
Unassigned | ||
iptables (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Bug Description
fail2ban correctly does not depend on iptables , since it is possible to configure it to use only hosts.deny by specifying the banaction=hostsdeny directive in the /etc/fail2ban/
Unfortunately the default jail.conf supplied with fail2ban 0.8.2-2 in Hardy DOES assume iptables is installed, and has banaction=
Unless the user is particularly vigilant about watching the log files, there is a risk that they will assume fail2ban is now protecting their system against SSH brute force & dictionary attacks, when in fact it is doing nothing more than logging error messages (complaining about the missing iptables) whilst the user's system remains unprotected.
This is particularly pertinent to Ubuntu given its traditional attitude of favouring closed ports over firewalls.
The /etc/fail2ban/
[DEFAULT]
...
#banaction = iptables-multiport
banaction = hostsdeny
Note: The attached patch is MY FIRST ATTEMPT AT WRITING A PATCH. If I've got it wrong, please help me learn how to get it right (or just point me at a better howto).
Thanks for reporting this bug and any supporting documentation. Since this bug has enough information provided for a developer to begin work, I'm going to mark it as confirmed and let them handle it from here. Thanks for taking the time to make Ubuntu better and for providing the patch!