Page MenuHomeVyOS Platform

Add system service fail2ban
Closed, InvalidPublicFEATURE REQUEST

Description

Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).

Just install fail2ban debian package and provide configuration node.

Usefull for cloud based VyOS instances.

https://www.fail2ban.org/

Details

Difficulty level
Normal (likely a few hours)
Version
-
Why the issue appeared?
Will be filled on close

Event Timeline

c-po updated the task description. (Show Details)
c-po changed Difficulty level from Unknown (require assessment) to Normal (likely a few hours).
c-po reopened this task as In progress.
c-po triaged this task as Normal priority.

Kim, can you merge this into current
Thanks!

What to so with this task, requests were closed.

Closed b/c I wanted to rewrite it using vyos-1x command package.

Proper firewalling will be better...

straight firewalling won't help if the logon attempts still come from a presumably trusted LAN. I like the idea of at least a temporary lockout to prevent mass attempts when someone is running a big password list, though the utility of this naturally drops if VyOS can be fingerprinted before the attempt and the instance runs with a default password, but that's a sysadmin problem.

Any chance this will be revived for 1.3 or 2.0 ?
Any amount of firewalling is not gonna stop brute forcing.

If this will not be revived will there atleast be a feature with some parity to block after X amount of failed logins for Y amount of time that is increased by a factor of Z amount for each additional failed logins ?

@c-po Why stop the implementation of this function? My original idea was to implement the automatic configuration and operation of the service in vyos-1x. It seems that you already have an idea?