From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 4DE4E70C5B for ; Thu, 30 Sep 2021 14:32:31 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 452A02019E for ; Thu, 30 Sep 2021 14:32:01 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 88B6020190 for ; Thu, 30 Sep 2021 14:31:58 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 60EFA44C22 for ; Thu, 30 Sep 2021 14:31:58 +0200 (CEST) From: Oguz Bektas To: pve-devel@lists.proxmox.com Date: Thu, 30 Sep 2021 14:31:46 +0200 Message-Id: <20210930123147.1474241-2-o.bektas@proxmox.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210930123147.1474241-1-o.bektas@proxmox.com> References: <20210930123147.1474241-1-o.bektas@proxmox.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.916 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment POISEN_SPAM_PILL 0.1 Meta: its spam POISEN_SPAM_PILL_1 0.1 random spam to be learned in bayes POISEN_SPAM_PILL_3 0.1 random spam to be learned in bayes PROLO_LEO1 0.1 Meta Catches all Leo drug variations so far SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [proxmox.com, host.pm, firewall.pm] Subject: [pve-devel] [PATCH v3 firewall 1/2] implement fail2ban backend and API X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Sep 2021 12:32:31 -0000 adds a section "[FAIL2BAN]" in the hostfw configuration, which allows the properties 'maxretry' and 'bantime' (in minutes) for the GUI ports. enable: whether fail2ban jail is enabled or not maxretry: amount of login tries allowed bantime: amount of minutes to ban suspicious host the configuration file is derived from our wiki [0] example API usage ===== $ pvesh set /nodes/localhost/firewall/fail2ban --enable 1 --bantime 10 --maxretry 3 $ pvesh get /nodes/localhost/firewall/fail2ban ┌──────────┬───────┐ │ key │ value │ ╞══════════╪═══════╡ │ bantime │ 10 │ ├──────────┼───────┤ │ enable │ 1 │ ├──────────┼───────┤ │ maxretry │ 3 │ └──────────┴───────┘ $ pvesh set /nodes/localhost/firewall/fail2ban --bantime 100 $ pvesh get /nodes/localhost/firewall/fail2ban ┌──────────┬───────┐ │ key │ value │ ╞══════════╪═══════╡ │ bantime │ 100 │ ├──────────┼───────┤ │ enable │ 1 │ ├──────────┼───────┤ │ maxretry │ 3 │ └──────────┴───────┘ $ pvesh set /nodes/localhost/firewall/fail2ban --enable 0 $ pvesh get /nodes/localhost/firewall/fail2ban ┌──────────┬───────┐ │ key │ value │ ╞══════════╪═══════╡ │ bantime │ 100 │ ├──────────┼───────┤ │ enable │ 0 │ ├──────────┼───────┤ │ maxretry │ 3 │ └──────────┴───────┘ ===== [0]: https://pve.proxmox.com/wiki/Fail2ban Signed-off-by: Oguz Bektas --- v2->v3: * simpler regex in 'parse_fail2ban_option' * 'parse_fail2ban_option' returns integer value instead of string * change position of 'get_fail2ban' and 'set_fail2ban' (so that they're next to each other debian/control | 1 + src/PVE/API2/Firewall/Host.pm | 96 ++++++++++++++++++++++++++++++++ src/PVE/Firewall.pm | 101 +++++++++++++++++++++++++++++++++- 3 files changed, 197 insertions(+), 1 deletion(-) diff --git a/debian/control b/debian/control index 4684c5b..377c9ae 100644 --- a/debian/control +++ b/debian/control @@ -17,6 +17,7 @@ Package: pve-firewall Architecture: any Conflicts: ulogd, Depends: ebtables, + fail2ban, ipset, iptables, libpve-access-control, diff --git a/src/PVE/API2/Firewall/Host.pm b/src/PVE/API2/Firewall/Host.pm index b66ca55..41728f7 100644 --- a/src/PVE/API2/Firewall/Host.pm +++ b/src/PVE/API2/Firewall/Host.pm @@ -62,6 +62,17 @@ my $add_option_properties = sub { return $properties; }; +my $fail2ban_properties = $PVE::Firewall::fail2ban_option_properties; + +my $add_fail2ban_properties = sub { + my ($properties) = @_; + + foreach my $k (keys %$fail2ban_properties) { + $properties->{$k} = $fail2ban_properties->{$k}; + } + + return $properties; +}; __PACKAGE__->register_method({ name => 'get_options', @@ -148,6 +159,91 @@ __PACKAGE__->register_method({ return undef; }}); +__PACKAGE__->register_method({ + name => 'get_fail2ban', + path => 'fail2ban', + method => 'GET', + description => "Get host firewall fail2ban options.", + proxyto => 'node', + permissions => { + check => ['perm', '/nodes/{node}', [ 'Sys.Audit' ]], + }, + parameters => { + additionalProperties => 0, + properties => { + node => get_standard_option('pve-node'), + }, + }, + returns => { + type => "object", + properties => $fail2ban_properties, + }, + code => sub { + my ($param) = @_; + + my $cluster_conf = PVE::Firewall::load_clusterfw_conf(); + my $hostfw_conf = PVE::Firewall::load_hostfw_conf($cluster_conf); + + return PVE::Firewall::copy_opject_with_digest($hostfw_conf->{fail2ban}); + }}); + + + +__PACKAGE__->register_method({ + name => 'set_fail2ban', + path => 'fail2ban', + method => 'PUT', + description => "Set host firewall fail2ban options.", + protected => 1, + proxyto => 'node', + permissions => { + check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]], + }, + parameters => { + additionalProperties => 0, + properties => &$add_fail2ban_properties({ + node => get_standard_option('pve-node'), + delete => { + type => 'string', format => 'pve-configid-list', + description => "A list of settings you want to delete.", + optional => 1, + }, + digest => get_standard_option('pve-config-digest'), + }), + }, + returns => { type => "null" }, + code => sub { + my ($param) = @_; + PVE::Firewall::lock_hostfw_conf(10, sub { + my $cluster_conf = PVE::Firewall::load_clusterfw_conf(); + my $hostfw_conf = PVE::Firewall::load_hostfw_conf($cluster_conf); + + my (undef, $digest) = PVE::Firewall::copy_opject_with_digest($hostfw_conf->{fail2ban}); + PVE::Tools::assert_if_modified($digest, $param->{digest}); + + if ($param->{delete}) { + foreach my $opt (PVE::Tools::split_list($param->{delete})) { + raise_param_exc({ delete => "no such option '$opt'" }) + if !$fail2ban_properties->{$opt}; + delete $hostfw_conf->{fail2ban}->{$opt}; + } + } + + if (defined($param->{enable})) { + $param->{enable} = $param->{enable} ? 1 : 0; + } + + foreach my $k (keys %$fail2ban_properties) { + next if !defined($param->{$k}); + $hostfw_conf->{fail2ban}->{$k} = $param->{$k}; + } + + PVE::Firewall::save_hostfw_conf($hostfw_conf); + }); + + return undef; + }}); + __PACKAGE__->register_method({ name => 'log', path => 'log', diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index edc5336..92b77a4 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -1347,6 +1347,29 @@ our $host_option_properties = { }, }; +our $fail2ban_option_properties = { + enable => { + description => "Enable or disable fail2ban on a node.", + type => 'boolean', + optional => 1, + default => 1, + }, + maxretry => { + description => "Amount of failed tries to ban after.", + type => 'integer', + optional => 1, + minimum => 1, + default => 3, + }, + bantime => { + description => "Minutes to ban suspicious IPs.", + type => 'integer', + optional => 1, + minimum => 1, + default => 5, + }, +}; + our $vm_option_properties = { enable => { description => "Enable/disable firewall rules.", @@ -2407,6 +2430,41 @@ sub ruleset_generate_vm_rules { } } +sub generate_fail2ban_config { + my ($fail2ban_opts) = @_; + + my $enable = $fail2ban_opts->{enable} ? 'true' : 'false'; + my $maxretry = $fail2ban_opts->{maxretry}; + my $bantime = $fail2ban_opts->{bantime} * 60; # convert minutes to seconds + + my $fail2ban_filter = < user=.* msg=.* +ignoreregex = +CONFIG + my $filter_path = '/etc/fail2ban/filter.d/proxmox.conf'; + PVE::Tools::file_set_contents($filter_path, $fail2ban_filter) if !-f $filter_path; + + + my $fail2ban_jail = <{$1}->{default}); + } else { + die "error parsing fail2ban options: $line"; + } +} + sub generic_fw_config_parser { my ($filename, $cluster_conf, $empty_conf, $rule_env) = @_; @@ -2965,6 +3033,11 @@ sub generic_fw_config_parser { my $prefix = "$filename (line $linenr)"; + if ($empty_conf->{fail2ban} && ($line =~ m/^\[fail2ban\]$/i)) { + $section = 'fail2ban'; + next; + } + if ($empty_conf->{options} && ($line =~ m/^\[options\]$/i)) { $section = 'options'; next; @@ -3046,6 +3119,13 @@ sub generic_fw_config_parser { $res->{aliases}->{lc($data->{name})} = $data; }; warn "$prefix: $@" if $@; + } elsif ($section eq 'fail2ban') { + my ($opt, $value) = eval { parse_fail2ban_option($line) }; + if (my $err = $@) { + warn "$err"; + next; + } + $res->{fail2ban}->{$opt} = $value; } elsif ($section eq 'rules') { my $rule; eval { $rule = parse_fw_rule($prefix, $line, $cluster_conf, $res, $rule_env); }; @@ -3251,6 +3331,21 @@ my $format_options = sub { return $raw; }; +my $format_fail2ban = sub { + my ($fail2ban_options) = @_; + + my $raw = ''; + + $raw .= "[FAIL2BAN]\n\n"; + foreach my $opt (keys %$fail2ban_options) { + $raw .= "$opt: $fail2ban_options->{$opt}\n"; + } + $raw .= "\n"; + + return $raw; + +}; + my $format_aliases = sub { my ($aliases) = @_; @@ -3620,7 +3715,7 @@ sub load_hostfw_conf { $filename = $hostfw_conf_filename if !defined($filename); - my $empty_conf = { rules => [], options => {}}; + my $empty_conf = { rules => [], options => {}, fail2ban => {}}; return generic_fw_config_parser($filename, $cluster_conf, $empty_conf, 'host'); } @@ -3630,7 +3725,9 @@ sub save_hostfw_conf { my $raw = ''; my $options = $hostfw_conf->{options}; + my $fail2ban_options = $hostfw_conf->{fail2ban}; $raw .= &$format_options($options) if $options && scalar(keys %$options); + $raw .= &$format_fail2ban($fail2ban_options) if $fail2ban_options && scalar(keys %$fail2ban_options); my $rules = $hostfw_conf->{rules}; if ($rules && scalar(@$rules)) { @@ -4590,6 +4687,8 @@ sub update { } my $hostfw_conf = load_hostfw_conf($cluster_conf); + my $fail2ban_opts = $hostfw_conf->{fail2ban}; + generate_fail2ban_config($fail2ban_opts) if scalar(keys %$fail2ban_opts); my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) = compile($cluster_conf, $hostfw_conf); -- 2.30.2