From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id BDDD36EBAA for ; Wed, 25 Aug 2021 14:51:35 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id A9F7A11164 for ; Wed, 25 Aug 2021 14:51:05 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 361DC11154 for ; Wed, 25 Aug 2021 14:51:02 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 0338243873 for ; Wed, 25 Aug 2021 14:51:02 +0200 (CEST) Message-ID: Date: Wed, 25 Aug 2021 14:51:00 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.0 Content-Language: en-GB To: Oguz Bektas , Proxmox VE development discussion References: <20210823140736.1371942-1-o.bektas@proxmox.com> <9ca9e438-6983-9dc8-ad8d-f8a7b5ce9455@proxmox.com> From: Thomas Lamprecht In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-SPAM-LEVEL: Spam detection results: 0 AWL 1.005 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment NICE_REPLY_A -1.305 Looks like a legit reply (A) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pve-devel] [RFC firewall] implement fail2ban in firewall X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Aug 2021 12:51:35 -0000 On 25/08/2021 11:34, Oguz Bektas wrote: > On Tue, Aug 24, 2021 at 08:58:10PM +0200, Thomas Lamprecht wrote: >> E.g., did you think about checking the log just directly here, after all we run >> every 10s anyway, so one could just directly parse the daemon log and add the >> rules directly here, no extra daemon and external instance, which adapts filter >> rules, required (the latter is racy anyway). Not necessarily a must, but the >> simple regex on a single file would be easy, hardest thing would be to handle >> rotations and make reading not completely inefficient; but neither to complicated >> either. > > in the v2 it works better after implementing your suggestions (i'll send > it today), now we check if the jail file has changed and only write it then. > that has zero to do with thinking and evaluating about just doing it ourself here though? As there's still an additional dependency with an extra daemon running that may not even interact correctly with how we operate the iptables... >> >> any how, does fail2ban always flushes all their rules, as else our rewrite of >> the filter and raw tables on each update would make it somewhat moot? > > i'm not exactly sure, but in my tests the banned IP addresses stayed > even after changing configuration and reloading the services. you can > check with `fail2ban-client banned`. I did not asked about the banned IP address view from the fail2ban daemon but rather if the actual *iptables* rules persist, would be good to get sure about such stuff if wanting to integrate such a feature..