Skip to content

peci1/fail2ban_openwrt

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

49 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

fail2ban_openwrt

OpenWRT support for fail2ban with special additions of support for PPtP scan banning (optional).

![NOTE] This repo has recently switched to using nftables for blocking pptp attackers. If you're still using iptables, check out the iptables branch of this repo.

It is tested on Turris OS 7.1, which is based on OpenWRT 21.02 and it only works on Python 3.

Installation

If you don't already have fail2ban installed, just opkg update && opkg install fail2ban. Install additional configs by calling ./install_f2b_config.sh. You can enable automatic startup of fail2ban by calling

/etc/init.d/fail2ban enable

PPtP banning support

To get support for a PPtP server filter that bans users who failed authentication, run ./install_pptp_support.sh. Please note that it sets the ppp daemon to debug mode (by editing /etc/ppp/options.pptpd). This might result in sensitive information appearing in the system log. If you don't like this, you'll have to reconfigure your syslog, because the debug mode is essential for the pptp fail2ban filter to work.

It also configures syslog to create named pipe /var/log/ppp which collects only logs from pptpd and pppd. This pipe is then processed by a script installed to OpenWRT as fail2ban_pptp that transforms it into file /var/log/ppp.login. This is a concise log of login attempts (both successful and unsuccessful). These attempts are then given to fail2ban to extract and ban the attackers.

Usage

Start the fail2ban server with /etc/init.d/fail2ban start. It should spawn a fail2ban process and you should see some output in syslog and possibly also in /var/log/fail2ban.log.

Configuration

Fail2ban stores a database of already banned IP addresses. It is best if this file survives restarts of the router. By default, it is put in /var/lib/fail2ban/fail2ban.sqlite3. If your /var directory resides in memory only, you might want to change the config in /etc/config/fail2ban to point to a persistent place. But be aware that if your router's system is on an an eMMC flash memory, it is possibly not meant to keep often-changing files and you should rather connect an external drive and set it as the location for fail2ban database, otherwise it can destroy your router. You have been warned.

By default, fail2ban blocks traffic directed at your router. But if you e.g. collect logs from other LAN devices or virtual containers and want fail2ban to block traffic to these devices, too (in case they are reachable from Internet e.g. via port redirects or DMZ), you will need to adjust the jail config to use FORWARD chain instead of the default INPUT chain. The fail2ban jail config to set that is chain = FORWARD.

Troubleshooting

Fail2ban

If something doesn't work and the fail2ban daemon doesn't start, try running manually /usr/bin/fail2ban-server -v -xf --logtarget=sysout start to see what the problem is.

PPtP banning

Watch the contents of /var/log/ppp and /var/log/ppp.login and connect to the VPN server. There should be some content in both of these files. In /var/log/ppp.login, you should see something like:

OK pptpd PID: 1234, pppd PID: 1235, IP: 1.2.3.4, prefix: 5 Jun 13:14:15 router

You can also try running

fail2ban-regex /var/log/ppp.login /etc/fail2ban/filter.d/pptp.conf

to see whether the processed PPtP log parses correctly. It should output something like:

Running tests
=============

Use   failregex filter file : pptp, basedir: /etc/fail2ban
Use      datepattern : MON Day 24hour:Minute:Second
Use         log file : /var/log/ppp.login
Use         encoding : UTF-8


Results
=======

Failregex: 36 total
|-  #) [# of hits] regular expression
|   1) [36] ^FAIL.*IP: <HOST>,.*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [58] MON Day 24hour:Minute:Second
`-

Lines: 58 lines, 0 ignored, 36 matched, 22 missed
[processed in 0.03 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 22 lines

To see statistics of the banning, call

fail2ban-client status pptp