Puppet users - Oct 2013 - puppetlabs/firewall and fail2ban

Hello,

A while back I wanted to switch our home-brewed iptables module to the 
puppetlabs/firewall module but I couldn''t figure out
how to tell puppetlabs/firewall to leave the fail2ban chains alone.

I was curious if someone had solved the issue and had some examples I can 
work from?

-- 
Daniele Sluijters

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/28d07962-a86c-46ad-9ddb-02e7ae41c348%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

On Oct 29, 2013, at 8:41 AM, Daniele Sluijters
<daniele.sluijters@gmail.com> wrote:
> Hello,
> 
> A while back I wanted to switch our home-brewed iptables module to the
puppetlabs/firewall module but I couldn''t figure out
> how to tell puppetlabs/firewall to leave the fail2ban chains alone.
> 
> I was curious if someone had solved the issue and had some examples I can
work from?
> 
> -- 
> Daniele Sluijters
> 
> -- 
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to puppet-users+unsubscribe@googlegroups.com.
> To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/28d07962-a86c-46ad-9ddb-02e7ae41c348%40googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.

I ran in to this issue also.  Never found a scaleable/supportable solution, so
switched to DenyHosts instead just to get the deployment going.   I used the
puppetlabs-denyhosts module.    Depending on your application an app-level
filter vs a firewall-level filter may be adequate.  The latter is possibly more
scalable if you are getting massive attacks on your SSH port for example.   But
if they get so massive that DenyHosts is a significant resource drain you may
need to switch to an upstream DDoS-blocking solution anyway, so I decided the
app-level filter was sufficient.

Don


-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/E14BBB38-29A3-462F-B68C-D529C81D035E%40gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.

Hi,

DenyHosts is not an option for me since I can''t predict which hosts
will be
connecting from the outside. Fail2ban solves that issue by looking for odd 
behaviour instead of asking me to whitelist.

Thanks for the suggestion though,

-- 
Daniele Sluijters

On Tuesday, 29 October 2013 18:22:04 UTC+1, Don Hoffman
wrote:
>
>
> On Oct 29, 2013, at 8:41 AM, Daniele Sluijters
<daniele....@gmail.com<javascript:>>
> wrote:
>
> Hello,
>
> A while back I wanted to switch our home-brewed iptables module to the 
> puppetlabs/firewall module but I couldn''t figure out
> how to tell puppetlabs/firewall to leave the fail2ban chains alone.
>
> I was curious if someone had solved the issue and had some examples I can 
> work from?
>
> -- 
> Daniele Sluijters
>
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to puppet-users...@googlegroups.com <javascript:>.
> To view this discussion on the web visit 
>
https://groups.google.com/d/msgid/puppet-users/28d07962-a86c-46ad-9ddb-02e7ae41c348%40googlegroups.com
> .
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>
> I ran in to this issue also.  Never found a scaleable/supportable 
> solution, so switched to DenyHosts instead just to get the deployment 
> going.   I used the puppetlabs-denyhosts module.    Depending on your 
> application an app-level filter vs a firewall-level filter may be adequate.
>  The latter is possibly more scalable if you are getting massive attacks on
> your SSH port for example.   But if they get so massive that DenyHosts is a
> significant resource drain you may need to switch to an upstream 
> DDoS-blocking solution anyway, so I decided the app-level filter was 
> sufficient.
>
> Don
>
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/28d67b56-fe05-4315-a307-b4a1cf53fa7c%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

On Oct 29, 2013, at 12:00 PM, Daniele Sluijters
<daniele.sluijters@gmail.com> wrote:
> Hi,
> 
> DenyHosts is not an option for me since I can''t predict which
hosts will be connecting from the outside. Fail2ban solves that issue by looking
for odd behaviour instead of asking me to whitelist.
> 
> Thanks for the suggestion though,
> 
> -- 
> Daniele Sluijters
Hmm.  Don’t quite follow.   DenyHost works pretty much the same as fail2ban on
the detection side.  I.e. “looking for odd behavior".  See this entry from
their FAQ:  http://denyhosts.sourceforge.net/faq.html#1_5

The DenyHost daemon monitors /var/log/secure for various signs of unsuccessful
attempts to connect (from anywhere).  Once a threshold is reached a rule for
that IP address is inserted in to /etc/host.deny.   Pretty much has the same
detection features as Fail2ban.

It is only on the filtering side where DenyHosts and Fail2ban really differ. 
Fail2ban sets up iptables firewall rules while DenyHosts adds entries to
hosts.deny for filtering in the app (usually sshd) server daemon.

Don


-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/54B8E55B-AB9D-48B0-939C-70BFFED16B9F%40gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.

On reading your message, I think you are perhaps confusing the static Linux
/etc/host.deny mechanism with the DenyHosts project.  See
http://denyhosts.sourceforg.net


Don

On Oct 29, 2013, at 5:32 PM, Donald Hoffman <don.hoffman@gmail.com> wrote:
> On Oct 29, 2013, at 12:00 PM, Daniele Sluijters
<daniele.sluijters@gmail.com> wrote:
> 
>> Hi,
>> 
>> DenyHosts is not an option for me since I can''t predict which
hosts will be connecting from the outside. Fail2ban solves that issue by looking
for odd behaviour instead of asking me to whitelist.
>> 
>> Thanks for the suggestion though,
>> 
>> -- 
>> Daniele Sluijters
> 
> Hmm.  Don’t quite follow.   DenyHost works pretty much the same as fail2ban
on the detection side.  I.e. “looking for odd behavior".  See this entry
from their FAQ:  http://denyhosts.sourceforge.net/faq.html#1_5
> 
> The DenyHost daemon monitors /var/log/secure for various signs of
unsuccessful attempts to connect (from anywhere).  Once a threshold is reached a
rule for that IP address is inserted in to /etc/host.deny.   Pretty much has the
same detection features as Fail2ban.
> 
> It is only on the filtering side where DenyHosts and Fail2ban really
differ.  Fail2ban sets up iptables firewall rules while DenyHosts adds entries
to hosts.deny for filtering in the app (usually sshd) server daemon.
> 
> Don
> 
> 
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/F7131694-484F-4C5F-B41C-6E7D11D3F2E9%40gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.

Hi,

Ah indeed, I misread the puppetlabs-denyhosts module. I had a look at the 
DenyHosts project but that seems limited to SSH alone. My fail2ban has 
rules that scan logs of our web servers, mail etc.

-- 
Daniele Sluijters

On Wednesday, 30 October 2013 01:39:56 UTC+1, Don Hoffman
wrote:
>
> On reading your message, I think you are perhaps confusing the static 
> Linux /etc/host.deny mechanism with the DenyHosts project.  See 
> http://denyhosts.sourceforg.net 
>
>
> Don 
>
> On Oct 29, 2013, at 5:32 PM, Donald Hoffman
<don.h...@gmail.com<javascript:>>
> wrote: 
>
> > On Oct 29, 2013, at 12:00 PM, Daniele Sluijters
<daniele....@gmail.com<javascript:>>
> wrote: 
> > 
> >> Hi, 
> >> 
> >> DenyHosts is not an option for me since I can''t predict
which hosts
> will be connecting from the outside. Fail2ban solves that issue by looking 
> for odd behaviour instead of asking me to whitelist. 
> >> 
> >> Thanks for the suggestion though, 
> >> 
> >> -- 
> >> Daniele Sluijters 
> > 
> > Hmm.  Don’t quite follow.   DenyHost works pretty much the same as 
> fail2ban on the detection side.  I.e. “looking for odd behavior".  See
this
> entry from their FAQ:  http://denyhosts.sourceforge.net/faq.html#1_5 
> > 
> > The DenyHost daemon monitors /var/log/secure for various signs of 
> unsuccessful attempts to connect (from anywhere).  Once a threshold is 
> reached a rule for that IP address is inserted in to /etc/host.deny.   
> Pretty much has the same detection features as Fail2ban. 
> > 
> > It is only on the filtering side where DenyHosts and Fail2ban really 
> differ.  Fail2ban sets up iptables firewall rules while DenyHosts adds 
> entries to hosts.deny for filtering in the app (usually sshd) server 
> daemon. 
> > 
> > Don 
> > 
> > 
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/d03394af-4bf0-4bc0-b250-d3d125a22ab5%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Have a look at pam_shield. It can protect any services that use PAM for 
authentication (i.e. ssh, authenticated mail, but not web). It can use 
either null-routing or iptables rules for blocking. If you set it to use 
null-routing then it doesn''t interfere with puppetlabs/firewall - we
are
using these two modules together without problems.

https://github.com/jtniehof/pam_shield

Cheers,
Jonathan


On 30/10/13 09:36, Daniele Sluijters wrote:
> Hi,
>
> Ah indeed, I misread the puppetlabs-denyhosts module. I had a look at 
> the DenyHosts project but that seems limited to SSH alone. My fail2ban 
> has rules that scan logs of our web servers, mail etc.
>
> -- 
> Daniele Sluijters
>
> On Wednesday, 30 October 2013 01:39:56 UTC+1, Don Hoffman wrote:
>
>     On reading your message, I think you are perhaps confusing the
>     static Linux /etc/host.deny mechanism with the DenyHosts project.
>      See http://denyhosts.sourceforg.net
>     <http://denyhosts.sourceforg.net>
>
>
>     Don
>
>     On Oct 29, 2013, at 5:32 PM, Donald Hoffman <don.h...@gmail.com
>     <javascript:>> wrote:
>
>     > On Oct 29, 2013, at 12:00 PM, Daniele Sluijters
>     <daniele....@gmail.com <javascript:>> wrote:
>     >
>     >> Hi,
>     >>
>     >> DenyHosts is not an option for me since I can''t
predict which
>     hosts will be connecting from the outside. Fail2ban solves that
>     issue by looking for odd behaviour instead of asking me to whitelist.
>     >>
>     >> Thanks for the suggestion though,
>     >>
>     >> --
>     >> Daniele Sluijters
>     >
>     > Hmm.  Don’t quite follow.   DenyHost works pretty much the same
>     as fail2ban on the detection side.  I.e. “looking for odd
>     behavior".  See this entry from their FAQ:
>     http://denyhosts.sourceforge.net/faq.html#1_5
>     <http://denyhosts.sourceforge.net/faq.html#1_5>
>     >
>     > The DenyHost daemon monitors /var/log/secure for various signs
>     of unsuccessful attempts to connect (from anywhere).  Once a
>     threshold is reached a rule for that IP address is inserted in to
>     /etc/host.deny.   Pretty much has the same detection features as
>     Fail2ban.
>     >
>     > It is only on the filtering side where DenyHosts and Fail2ban
>     really differ.  Fail2ban sets up iptables firewall rules while
>     DenyHosts adds entries to hosts.deny for filtering in the app
>     (usually sshd) server daemon.
>     >
>     > Don
>     >
>     >
>
> -- 
> You received this message because you are subscribed to the Google 
> Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send 
> an email to puppet-users+unsubscribe@googlegroups.com.
> To view this discussion on the web visit 
>
https://groups.google.com/d/msgid/puppet-users/d03394af-4bf0-4bc0-b250-d3d125a22ab5%40googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/52738BAE.3060200%40bristol.ac.uk.
For more options, visit https://groups.google.com/groups/opt_out.