fail2ban in a jail

hashime · Jun 2, 2015

Hello

I'm trying to run fail2ban on a jail, the jail has the same ip as the Host but with sshd on a different portnumber.

I put this into /usr/local/etc/fail2ban/jail.d/

Code:

[ssh-jail-pf]
enabled  = true
filter   = sshd
action   = pf
#          sendmail-whois[name=SSH, dest=root@localhost, sender=noreply@localhost]
logpath  = /usr/jails/shell/var/log/auth.log
findtime  = 600
maxretry = 3
bantime  = 360000

I am unsure how to tell fail2ban that the attempts coming out of this logile are on another port then the host systems sshd and how to give fail2ban this port.
Any advice would be appreciated.

gkontos · Jun 2, 2015

hashime said:
Hello
I'm trying to run fail2ban on a jail, the jail has the same ip as the Host.

How did you manage that?

hashime · Jun 2, 2015

Just create with the same ip, works fine. I just use it to separate the webserver from the host system, with no other service running.

kpa · Jun 2, 2015

What is your motive for putting fail2ban in the jail? It's much harder to control the firewall that still operates directly on the host from within a jail and it doesn't really add more security.

Remington · Jun 2, 2015

fail2ban should be in host as it has the ability to monitor multiple logs from different jails and works with pf or ipfw to protect the server at the ethernet interface.

hashime · Jun 2, 2015

I did not put fail2ban in the jail, i run it on the host system. I am just unsure how to tell fail2ban that the logfile in the jail has a different ssh port then the host system.

Remington · Jun 2, 2015

You could set separate filters for SSH in host and jail.

You will have to create two different rules in fail2ban/jail.local for ssh in host and jail.

You will also have to create two filter files: fail2ban/filter.d/bsd-sshd-host.local and fail2ban/filter.d/bsd-sshd-jail.local

gkontos · Jun 2, 2015

hashime said:
Just create with the same ip, works fine. I just use it to separate the webserver from the host system, with no other service running.

So, you created a jail with the same IP address as the host system? Can you please share how you did that?

hashime · Jun 2, 2015

gkontos said:
So, you created a jail with the same IP address as the host system? Can you please share how you did that?

ezjail-admin create -f myflavour jailname sameipashost

gkontos · Jun 2, 2015

That is wrong. A Jail should never share the same IP with the host. Eventually, you will have problems.

hashime · Jun 2, 2015

Works fine for my use case till now.
What kind of problems can iI expect?

Remington · Jun 2, 2015

hashime said:
Works fine for my usecase till now.
What kind of problems can i expect?

You may run into problems if software in host and jail use the same IP address and ports. If you only have one public IP address then all your jails should use local IP addresses such as 10.0.0.x or 192.168.0.x. to avoid conflicts with public IP address. What you are doing is a bad practice and it renders your host to vulnerabilities.

hashime · Jun 2, 2015

Vulnerabilities like what?

Remington · Jun 3, 2015

hashime said:
Vulnerabilities like what?

Vulnerable to attacks. You just opened your host by sharing the same IP address with jail. You might as well run everything in host and not bother with jail.

hashime · Jun 3, 2015

Can you be more specific? In what way do iI "open" up what exactly?

Remington · Jun 3, 2015

hashime said:
Can you be more specific? In what way do iI "open" up what exactly?

If you run any daemons in host using the same IP address in jail. Daemon listeners in host gets the priority so if anyone is using it in jail will have access to host. Therefore, your host is far more likely will be compromised. If you use SSH port 22 in host, SSH port 22 in jail and both use same IP address then SSH in host gets the priority. Same thing for FTP daemons, email, etc. as you don't always know which software you install will require daemon that listens on port.

I don't understand why you're not using local or private IP addresses for your jails and its not that difficult to implement with PF. If you use local or private IP address in jail then daemons in that jail will be restricted to that jail IP address and not host.

What you are doing is bad security practice as you cannot assume everything will be okay especially with untrusted users. You will run into problems later or worse host compromised.

So my advice to you is to create private IP address in jail and use PF to reroute traffic to jails.

hashime · Jun 3, 2015

Thanks for the explanation. Obviously I am not running the same daemons on the same ports in the jail. For example, I jailed lighttpd using the same IP as the main IP of the host, since I got only 2. On the jail no daemon but lighttpd on port 443 is running, no SSH, no email, no FTP, no users. I access it through the host. On the host, no webserver. I don't see a problem there. The main thought process behind this is, that if someone breaks into lighttpd for some reason, he/she won't get access to the host, just the jail. Basically using jail as a better chroot. If I'd use an internal IP and route it through the host, I would have the exact same security concerns, host IP is exposed as well.
I created a jail with the second IP I got, I have to create a virtual ethernet device on the host as well or the jail would have no internet connectivity, so the host has the second IP too and we are back to square one, unless I did something terribly wrong and I am too stupid to do jails (which is totally in the realm of possibility) and it is possible otherwise as well.
I get what you are saying, but obviously I don't run the the same ip/port combination in jails/host since that would not work. I use jails to separate daemons/other daemons/users from each other.

junovitch@ · Jun 4, 2015

Remington said:
If you run any daemons in host using the same IP address in jail. Daemon listeners in host gets the priority so if anyone is using it in jail will have access to host. Therefore, your host is far more likely will be compromised. If you use SSH port 22 in host, SSH port 22 in jail and both use same IP address then SSH in host gets the priority. Same thing for FTP daemons, email, etc. as you don't always know which software you install will require daemon that listens on port.

This is actually the other way around. In this scenario the jail will get the connection first and assuming there is no service listening it will "fall through" to the host. I just double checked and on a VM with both host and jail using SSH on port 22, the SSH will indeed go into the jail when the jail is running and go to the host when the jail is not running.

On the topic, if the address is publicly reachable when it otherwise would have been a privately addressed host and publicly addressable jail then the host is certainly more vulnerable in this scenario. Since you are setting up Fail2Ban, this may apply. Otherwise jailing a service ultimately adds to it's security. For example, the auditdistd(8) service jails itself without an IP address. The isolated process and file system space is still there.

Ultimately sharing the IP like this is likely going to be a needless source of confusion when configuration changes over time. Sooner or later there will be some unusual behavior when services get added and things behave oddly depending on whether the jail is running or not. There are many things on *nix platforms in general where there isn't anything to prevent you from doing something silly since then may prevent doing something smart. This seems like one of them. If this is a shared or "production" system, please don't do unusual things like this for the benefit of whoever else has to work on it next.

hashime · Jun 4, 2015

Thanks for the advice.