[pve-devel] [PATCH v3 firewall 1/2] implement fail2ban backend and API
Oguz Bektas
o.bektas at proxmox.com
Thu Sep 30 14:31:46 CEST 2021
adds a section "[FAIL2BAN]" in the hostfw configuration, which allows
the properties 'maxretry' and 'bantime' (in minutes) for the GUI ports.
enable: whether fail2ban jail is enabled or not
maxretry: amount of login tries allowed
bantime: amount of minutes to ban suspicious host
the configuration file is derived from our wiki [0]
example API usage
=====
$ pvesh set /nodes/localhost/firewall/fail2ban --enable 1 --bantime 10 --maxretry 3
$ pvesh get /nodes/localhost/firewall/fail2ban
┌──────────┬───────┐
│ key │ value │
╞══════════╪═══════╡
│ bantime │ 10 │
├──────────┼───────┤
│ enable │ 1 │
├──────────┼───────┤
│ maxretry │ 3 │
└──────────┴───────┘
$ pvesh set /nodes/localhost/firewall/fail2ban --bantime 100
$ pvesh get /nodes/localhost/firewall/fail2ban
┌──────────┬───────┐
│ key │ value │
╞══════════╪═══════╡
│ bantime │ 100 │
├──────────┼───────┤
│ enable │ 1 │
├──────────┼───────┤
│ maxretry │ 3 │
└──────────┴───────┘
$ pvesh set /nodes/localhost/firewall/fail2ban --enable 0
$ pvesh get /nodes/localhost/firewall/fail2ban
┌──────────┬───────┐
│ key │ value │
╞══════════╪═══════╡
│ bantime │ 100 │
├──────────┼───────┤
│ enable │ 0 │
├──────────┼───────┤
│ maxretry │ 3 │
└──────────┴───────┘
=====
[0]: https://pve.proxmox.com/wiki/Fail2ban
Signed-off-by: Oguz Bektas <o.bektas at proxmox.com>
---
v2->v3:
* simpler regex in 'parse_fail2ban_option'
* 'parse_fail2ban_option' returns integer value instead of string
* change position of 'get_fail2ban' and 'set_fail2ban' (so that they're next to each other
debian/control | 1 +
src/PVE/API2/Firewall/Host.pm | 96 ++++++++++++++++++++++++++++++++
src/PVE/Firewall.pm | 101 +++++++++++++++++++++++++++++++++-
3 files changed, 197 insertions(+), 1 deletion(-)
diff --git a/debian/control b/debian/control
index 4684c5b..377c9ae 100644
--- a/debian/control
+++ b/debian/control
@@ -17,6 +17,7 @@ Package: pve-firewall
Architecture: any
Conflicts: ulogd,
Depends: ebtables,
+ fail2ban,
ipset,
iptables,
libpve-access-control,
diff --git a/src/PVE/API2/Firewall/Host.pm b/src/PVE/API2/Firewall/Host.pm
index b66ca55..41728f7 100644
--- a/src/PVE/API2/Firewall/Host.pm
+++ b/src/PVE/API2/Firewall/Host.pm
@@ -62,6 +62,17 @@ my $add_option_properties = sub {
return $properties;
};
+my $fail2ban_properties = $PVE::Firewall::fail2ban_option_properties;
+
+my $add_fail2ban_properties = sub {
+ my ($properties) = @_;
+
+ foreach my $k (keys %$fail2ban_properties) {
+ $properties->{$k} = $fail2ban_properties->{$k};
+ }
+
+ return $properties;
+};
__PACKAGE__->register_method({
name => 'get_options',
@@ -148,6 +159,91 @@ __PACKAGE__->register_method({
return undef;
}});
+__PACKAGE__->register_method({
+ name => 'get_fail2ban',
+ path => 'fail2ban',
+ method => 'GET',
+ description => "Get host firewall fail2ban options.",
+ proxyto => 'node',
+ permissions => {
+ check => ['perm', '/nodes/{node}', [ 'Sys.Audit' ]],
+ },
+ parameters => {
+ additionalProperties => 0,
+ properties => {
+ node => get_standard_option('pve-node'),
+ },
+ },
+ returns => {
+ type => "object",
+ properties => $fail2ban_properties,
+ },
+ code => sub {
+ my ($param) = @_;
+
+ my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
+ my $hostfw_conf = PVE::Firewall::load_hostfw_conf($cluster_conf);
+
+ return PVE::Firewall::copy_opject_with_digest($hostfw_conf->{fail2ban});
+ }});
+
+
+
+__PACKAGE__->register_method({
+ name => 'set_fail2ban',
+ path => 'fail2ban',
+ method => 'PUT',
+ description => "Set host firewall fail2ban options.",
+ protected => 1,
+ proxyto => 'node',
+ permissions => {
+ check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
+ },
+ parameters => {
+ additionalProperties => 0,
+ properties => &$add_fail2ban_properties({
+ node => get_standard_option('pve-node'),
+ delete => {
+ type => 'string', format => 'pve-configid-list',
+ description => "A list of settings you want to delete.",
+ optional => 1,
+ },
+ digest => get_standard_option('pve-config-digest'),
+ }),
+ },
+ returns => { type => "null" },
+ code => sub {
+ my ($param) = @_;
+ PVE::Firewall::lock_hostfw_conf(10, sub {
+ my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
+ my $hostfw_conf = PVE::Firewall::load_hostfw_conf($cluster_conf);
+
+ my (undef, $digest) = PVE::Firewall::copy_opject_with_digest($hostfw_conf->{fail2ban});
+ PVE::Tools::assert_if_modified($digest, $param->{digest});
+
+ if ($param->{delete}) {
+ foreach my $opt (PVE::Tools::split_list($param->{delete})) {
+ raise_param_exc({ delete => "no such option '$opt'" })
+ if !$fail2ban_properties->{$opt};
+ delete $hostfw_conf->{fail2ban}->{$opt};
+ }
+ }
+
+ if (defined($param->{enable})) {
+ $param->{enable} = $param->{enable} ? 1 : 0;
+ }
+
+ foreach my $k (keys %$fail2ban_properties) {
+ next if !defined($param->{$k});
+ $hostfw_conf->{fail2ban}->{$k} = $param->{$k};
+ }
+
+ PVE::Firewall::save_hostfw_conf($hostfw_conf);
+ });
+
+ return undef;
+ }});
+
__PACKAGE__->register_method({
name => 'log',
path => 'log',
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index edc5336..92b77a4 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1347,6 +1347,29 @@ our $host_option_properties = {
},
};
+our $fail2ban_option_properties = {
+ enable => {
+ description => "Enable or disable fail2ban on a node.",
+ type => 'boolean',
+ optional => 1,
+ default => 1,
+ },
+ maxretry => {
+ description => "Amount of failed tries to ban after.",
+ type => 'integer',
+ optional => 1,
+ minimum => 1,
+ default => 3,
+ },
+ bantime => {
+ description => "Minutes to ban suspicious IPs.",
+ type => 'integer',
+ optional => 1,
+ minimum => 1,
+ default => 5,
+ },
+};
+
our $vm_option_properties = {
enable => {
description => "Enable/disable firewall rules.",
@@ -2407,6 +2430,41 @@ sub ruleset_generate_vm_rules {
}
}
+sub generate_fail2ban_config {
+ my ($fail2ban_opts) = @_;
+
+ my $enable = $fail2ban_opts->{enable} ? 'true' : 'false';
+ my $maxretry = $fail2ban_opts->{maxretry};
+ my $bantime = $fail2ban_opts->{bantime} * 60; # convert minutes to seconds
+
+ my $fail2ban_filter = <<CONFIG;
+[Definition]
+failregex = pvedaemon\\[.*authentication failure; rhost=<HOST> user=.* msg=.*
+ignoreregex =
+CONFIG
+ my $filter_path = '/etc/fail2ban/filter.d/proxmox.conf';
+ PVE::Tools::file_set_contents($filter_path, $fail2ban_filter) if !-f $filter_path;
+
+
+ my $fail2ban_jail = <<CONFIG;
+[proxmox]
+enabled = $enable
+port = https,http,8006
+filter = proxmox
+logpath = /var/log/daemon.log
+maxretry = $maxretry
+bantime = $bantime
+CONFIG
+
+ my $jail_path = "/etc/fail2ban/jail.d/proxmox.conf";
+ my $current_fail2ban_jail = PVE::Tools::file_get_contents($jail_path) if -f $jail_path;
+
+ if ($current_fail2ban_jail ne $fail2ban_jail) {
+ PVE::Tools::file_set_contents($jail_path, $fail2ban_jail);
+ run_command([qw(systemctl try-reload-or-restart fail2ban.service)]);
+ }
+}
+
sub generate_nfqueue {
my ($options) = @_;
@@ -2937,6 +2995,16 @@ sub parse_alias {
return undef;
}
+sub parse_fail2ban_option {
+ my ($line) = @_;
+
+ if ($line =~ m/^(enable|maxretry|bantime):\s+(\d+)(?:\s*#.*)?$/) {
+ return ($1, int($2) // $fail2ban_option_properties->{$1}->{default});
+ } else {
+ die "error parsing fail2ban options: $line";
+ }
+}
+
sub generic_fw_config_parser {
my ($filename, $cluster_conf, $empty_conf, $rule_env) = @_;
@@ -2965,6 +3033,11 @@ sub generic_fw_config_parser {
my $prefix = "$filename (line $linenr)";
+ if ($empty_conf->{fail2ban} && ($line =~ m/^\[fail2ban\]$/i)) {
+ $section = 'fail2ban';
+ next;
+ }
+
if ($empty_conf->{options} && ($line =~ m/^\[options\]$/i)) {
$section = 'options';
next;
@@ -3046,6 +3119,13 @@ sub generic_fw_config_parser {
$res->{aliases}->{lc($data->{name})} = $data;
};
warn "$prefix: $@" if $@;
+ } elsif ($section eq 'fail2ban') {
+ my ($opt, $value) = eval { parse_fail2ban_option($line) };
+ if (my $err = $@) {
+ warn "$err";
+ next;
+ }
+ $res->{fail2ban}->{$opt} = $value;
} elsif ($section eq 'rules') {
my $rule;
eval { $rule = parse_fw_rule($prefix, $line, $cluster_conf, $res, $rule_env); };
@@ -3251,6 +3331,21 @@ my $format_options = sub {
return $raw;
};
+my $format_fail2ban = sub {
+ my ($fail2ban_options) = @_;
+
+ my $raw = '';
+
+ $raw .= "[FAIL2BAN]\n\n";
+ foreach my $opt (keys %$fail2ban_options) {
+ $raw .= "$opt: $fail2ban_options->{$opt}\n";
+ }
+ $raw .= "\n";
+
+ return $raw;
+
+};
+
my $format_aliases = sub {
my ($aliases) = @_;
@@ -3620,7 +3715,7 @@ sub load_hostfw_conf {
$filename = $hostfw_conf_filename if !defined($filename);
- my $empty_conf = { rules => [], options => {}};
+ my $empty_conf = { rules => [], options => {}, fail2ban => {}};
return generic_fw_config_parser($filename, $cluster_conf, $empty_conf, 'host');
}
@@ -3630,7 +3725,9 @@ sub save_hostfw_conf {
my $raw = '';
my $options = $hostfw_conf->{options};
+ my $fail2ban_options = $hostfw_conf->{fail2ban};
$raw .= &$format_options($options) if $options && scalar(keys %$options);
+ $raw .= &$format_fail2ban($fail2ban_options) if $fail2ban_options && scalar(keys %$fail2ban_options);
my $rules = $hostfw_conf->{rules};
if ($rules && scalar(@$rules)) {
@@ -4590,6 +4687,8 @@ sub update {
}
my $hostfw_conf = load_hostfw_conf($cluster_conf);
+ my $fail2ban_opts = $hostfw_conf->{fail2ban};
+ generate_fail2ban_config($fail2ban_opts) if scalar(keys %$fail2ban_opts);
my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) = compile($cluster_conf, $hostfw_conf);
--
2.30.2
More information about the pve-devel
mailing list