fail2ban_openwrt

OpenWRT support for fail2ban with special additions of support for PPtP scan banning (optional).

It is tested on Turris OS 3.x and 5.x, which are both based on OpenWRT (the latter on OpenWRT 19.07). Works both when python 2 or python 3 are system interpreters.

Installation

If you don't already have fail2ban installed, you can try the ./install_fail2ban.sh script. It does its best to install it, but it is still possible you'd have to make some manual steps. By default, it downloads the sources to /usr/src/fail2ban. If you pass the install script an argument, it will download the sources to that destination instead.

Once fail2ban is installed, run ./install_f2b_config.sh to install the files necessary for running fail2ban under OpenWRT. You can enable automatic startup of fail2ban by calling

/etc/init.d/fail2ban enable

PPtP banning support

To get support for a PPtP server filter that bans users who failed authentication, run ./install_pptp_support.sh. Please note that it sets the ppp daemon to debug mode (by editing /etc/ppp/options.pptpd). This might result in sensitive information appearing in the system log. If you don't like this, you'll have to reconfigure your syslog, because the debug mode is essential for the pptp fail2ban filter to work.

It also configures syslog to create named pipe /var/log/ppp which collects only logs from pptpd and pppd. This pipe is then processed by a script installed to OpenWRT as fail2ban_pptp that transforms it into file /var/log/ppp.login. This is a concise log of login attempts (both successful and unsuccessful). These attempts are then given to fail2ban to extract and ban the attackers.

Usage

Start the fail2ban server with /etc/init.d/fail2ban start. It should spawn a fail2ban process and you should see some output in syslog and possibly also in /var/log/fail2ban.log.

Configuration

Fail2ban stores a database of already banned IP addresses. It is best if this file survives restarts of the router. By default, it is put in /var/lib/fail2ban/fail2ban.sqlite3. If your /var directory resides in memory only, you might want to change the config in /etc/config/fail2ban to point to a persistent place. But be aware that if your router's system is on an an eMMC flash memory, it is possibly not meant to keep often-changing files and you should rather connect an external drive and set it as the location for fail2ban database, otherwise it can destroy your router. You have been warned.

By default, fail2ban blocks traffic directed at your router. But if you e.g. collect logs from other LAN devices or virtual containers and want fail2ban to block traffic to these devices, too (in case they are reachable from Internet e.g. via port redirects or DMZ), you will need to adjust the jail config to use FORWARD chain instead of the default INPUT chain. The fail2ban jail config to set that is chain = FORWARD.

Troubleshooting

Fail2ban

If something doesn't work and the fail2ban daemon doesn't start, try running manually /usr/bin/fail2ban-server -v -xf --logtarget=sysout start to see what the problem is.

PPtP banning

Watch the contents of /var/log/ppp and /var/log/ppp.login and connect to the VPN server. There should be some content in both of these files. In /var/log/ppp.login, you should see something like:

OK pptpd PID: 1234, pppd PID: 1235, IP: 1.2.3.4, prefix: 5 Jun 13:14:15 router

You can also try running

fail2ban-regex /var/log/ppp.login /etc/fail2ban/filter.d/pptp.conf

to see whether the processed PPtP log parses correctly. It should output something like:

Running tests
=============

Use   failregex filter file : pptp, basedir: /etc/fail2ban
Use      datepattern : MON Day 24hour:Minute:Second
Use         log file : /var/log/ppp.login
Use         encoding : UTF-8


Results
=======

Failregex: 36 total
|-  #) [# of hits] regular expression
|   1) [36] ^FAIL.*IP: <HOST>,.*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [58] MON Day 24hour:Minute:Second
`-

Lines: 58 lines, 0 ignored, 36 matched, 22 missed
[processed in 0.03 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 22 lines

To see statistics of the banning, call

fail2ban-client status pptp