Fail2ban UFW UDP conntrack

Feia dies que veia entrades estranyes al log del ejabberd i al final m'he decidit a bannejar les ips d'origen amb el fail2ban.

2020-10-06 12:29:53.583 [info] <0.377.0> Rejecting request with unknown attribute(s): [3] [UDP, session 1vdu, anonymous, client 73.241.222.155:64262]
2020-10-06 12:29:57.102 [info] <0.377.0> Rejecting request with unknown attribute(s): [3] [UDP, session 1veq, anonymous, client 73.241.222.155:64262]
2020-10-06 12:30:00.460 [info] <0.377.0> Rejecting request with unknown attribute(s): [3] [UDP, session 1vfm, anonymous, client 73.241.222.155:64262]
2020-10-06 12:32:50.510 [info] <0.377.0> Rejecting request with unknown attribute(s): [3] [UDP, session 1vgi, anonymous, client 73.241.222.155:64262]
2020-10-06 12:32:53.690 [info] <0.377.0> Rejecting request with unknown attribute(s): [3] [UDP, session 1vhe, anonymous, client 73.241.222.155:64262]
2020-10-06 12:32:56.960 [info] <0.377.0> Rejecting request with unknown attribute(s): [3] [UDP, session 1via, anonymous, client 73.241.222.155:64262]

Creem una senzilla regla al nostre jail.local:

[ejabberd-unkattr]
enabled = true
port = all
filter =
failregex = ^.*Rejecting request with unknown attribute.*client <HOST>
logpath = /opt/ejabberd/logs/ejabberd.log
maxretry = 3
findtime = 600
bantime = 604800
banaction = ufw-custom

Reiniciem el servei:

systemctl restart fail2ban.service

I mirant al ufw veiem que efectivament el banneja:

root@ejabber ~ # ufw status verbose |grep 73.241.222.155
Anywhere                   REJECT IN   73.241.222.155

Però mirant als logs del ejabberd i del fail2ban veiem que encara surten les entrades tot i estar bannejat...

2020-10-06 10:49:03,443 fail2ban.filter         [3419]: INFO    [ejabberd-unknown-attribute] Found 73.241.222.155 - 2020-10-06 10:49:02
2020-10-06 10:49:06,206 fail2ban.filter         [3419]: INFO    [ejabberd-unknown-attribute] Found 73.241.222.155 - 2020-10-06 10:49:05
2020-10-06 10:49:08,962 fail2ban.filter         [3419]: INFO    [ejabberd-unknown-attribute] Found 73.241.222.155 - 2020-10-06 10:49:07
2020-10-06 10:49:08,991 fail2ban.actions        [3419]: NOTICE  [ejabberd-unknown-attribute] Ban 73.241.222.155
2020-10-06 10:49:08,995 fail2ban.filter         [3419]: INFO    [recidive] Found 73.241.222.155 - 2020-10-06 10:49:08
2020-10-06 10:49:11,815 fail2ban.filter         [3419]: INFO    [ejabberd-unknown-attribute] Found 73.241.222.155 - 2020-10-06 10:49:10
2020-10-06 10:49:14,615 fail2ban.filter         [3419]: INFO    [ejabberd-unknown-attribute] Found 73.241.222.155 - 2020-10-06 10:49:13
2020-10-06 10:49:17,408 fail2ban.filter         [3419]: INFO    [ejabberd-unknown-attribute] Found 73.241.222.155 - 2020-10-06 10:49:16
2020-10-06 10:49:17,772 fail2ban.actions        [3419]: NOTICE  [ejabberd-unknown-attribute] 73.241.222.155 already banned

Si ens fixem al log el ejabberd es tracta de connexions UDP i buscant una mica per internet em trobo amb aquesta resposta https://serverfault.com/a/838079, on bàsicament explica que, tot i que UDP és un protocol sense estat, el kernel de Linux en controla la IP i port durant 30 segons per determinar si el tràfic és RELATED o ESTABLISHED.

Per la seva banda les regles que aplica el ufw al chain uwf-before-input són precisament deixar passar primer aquest tràfic al /etc/ufw/before.rules:

# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

Una possible solució seria fer que el fail2ban inserti els reject a l'inici d'aquest chain, però amb això estaríem penalitzant les connexions legítimes per culpa dels bannejats, així que buscant alternatives veig que en algun lloc es parla d'una utilitat anomenada conntrack per manipular aquest tipus d'entrades del kernel. Així que el que farem és que quan el fail2ban bannegi alguna ip amb la nostra regla a més n'elimini l'entrada conntrack i així quedi inmediatament bannejada.

Instal·lem el conntrack:

apt install conntrack

Mirem si efectivament existeix l'entrada...

# conntrack -L |grep "73.241.222.155"
conntrack v1.4.4 (conntrack-tools): 25 flow entries have been shown.
udp      17 179 src=73.241.222.155 dst=XX.XX.XX.XX sport=64262 dport=3478 src=XX.XX.XX.XX dst=73.241.222.155 sport=3478 dport=64262 [ASSURED] mark=0 use=1

Preparem una nova action pel fail2ban creant el fitxer /etc/fail2ban/action.d amb el següent contingut

# Fail2ban delete conntrack entries
# 
[Definition]

actionban = /usr/sbin/conntrack -D -s <ip>

Afegim la nova action al nostre filtre del jail.local:

[ejabberd-unkattr]
enabled = true
port = all
filter =
failregex = ^.*Rejecting request with unknown attribute.*client <HOST>
logpath = /opt/ejabberd/logs/ejabberd.log
maxretry = 3
findtime = 600
bantime = 604800
banaction = ufw-custom
            conntrack

Finalment reiniciem el fail2ban i comprovem que efectivament el ban funciona com volem.

systemctl restart fail2ban.service

2020-10-06 12:32:57,994 fail2ban.filter         [12061]: INFO    [ejabberd-unkattr] Found 73.241.222.155 - 2020-10-06 12:29:57
2020-10-06 12:32:57,995 fail2ban.filter         [12061]: INFO    [ejabberd-unkattr] Found 73.241.222.155 - 2020-10-06 12:30:00
2020-10-06 12:32:57,995 fail2ban.filter         [12061]: INFO    [ejabberd-unkattr] Found 73.241.222.155 - 2020-10-06 12:32:50
2020-10-06 12:32:57,996 fail2ban.filter         [12061]: INFO    [ejabberd-unkattr] Found 73.241.222.155 - 2020-10-06 12:32:53
2020-10-06 12:32:57,996 fail2ban.filter         [12061]: INFO    [ejabberd-unkattr] Found 73.241.222.155 - 2020-10-06 12:32:56
2020-10-06 12:32:58,495 fail2ban.actions        [12061]: NOTICE  [ejabberd-unkattr] Ban 73.241.222.155

I a partir d'aquest moment podem veure al ejabberd.log com s'han aturat les peticions malicioses.

Etiquetes

fail2ban

ufw

Inicia sessió o registra't per fer comentaris

Coders.cat

Cerca

Etiquetes

Fail2ban UFW UDP conntrack