introduction
Some command line tools mostly under linux.
fail2ban
introduction
fail2ban is a program that bans ip addresses to a server when too many (3?) login attempts fail. Of course typing the wrong password would do this trick as well, so here is how you free up your ip address again when that happens. Here is a real example :
| example | |
|---|---|
You can list which addresses are blocked with :
| blocked ips | |
|---|---|
debian 12
Note that the latest install failed with
fail2ban-client status
2025-04-18 10:41:30,325 fail2ban [227409]: ERROR Failed to access socket path: /var/run/fail2ban/fail2ban.sock. Is fail2ban running?
This is easily fixed with :
sudo su
echo "sshd_backend = systemd" >> /etc/fail2ban/paths-debian.conf
fail2ban-client start
fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: sshd
Fail2ban does not seems to show ipv6 addresses, maybe because it does not get attacked on ipv6 ?
On debian 12 (hoek) i now have a working toolset with nftables + fail2ban + ufw.
ufw
You can just reach you local workstation from anywhere by allowing connections with ufw. For instance :
You get one address from strato, so just allow that one address on hoek :
hoek# ufw allow from 1111:2222:3333:4444::1/128
hoek# ufw status
To Action From
-- ------ ----
Anywhere ALLOW 192.168.1.0/24
Anywhere (v6) ALLOW fe80::/64
Anywhere (v6) ALLOW 1111:2222:3333:4444::1
Now you can ssh into the local workstation from strato machine only, and of course the internal network. This also works for the broker program. This means that we could allow specific addresses to connect to the broker, but that is a lot of manual work. What if we allow any address for just only the broker port (7002)
ufw allow 7002
To Action From
-- ------ ----
Anywhere ALLOW 192.168.1.0/24
7002 ALLOW Anywhere
Anywhere (v6) ALLOW fe80::/64
7002 (v6) ALLOW Anywhere (v6)
So this allows both ipv4 and ipv6. Maybe we should remove ipv4 again ?
Now ssh to the address fails, but client.c works. So now we need to provide an authentication
Maybe this will work ? :
It probably will be good to make a broker that indeed asks for credentials and logs bad requests for fail2ban to put in jail. Also log everything and anything to see if someone else attempts to connect.
/var/log/auth.log (obsolete ?)
This information is probably outdated, but may come in handy if you come across older systems. On debian 12, hoek/dell[X] and the strato machines fail2ban just works without this.
Fail2ban uses the /var/log/auth.log file to recognize sshd login attempts, but on debian 12 this is no longer installed by default.
sudo apt-get install rsyslog
sudo systemctl restart fail2ban
# test with systemctl status or :
sudo fail2ban-client status
archlinux
Arch linux installs an older version of iptables (1.8 legacy). This version cannot handle the -w option, so you have to disable locking by editing : /etc/fail2ban/action.d/iptables-common.conf and add this to the Init section, or look for the lockingopt option and alter it :
This fixes the problem where you get weird error int the fail2ban log like these :
| for these errors | |
|---|---|
You will see that the command given has a -w option, and it should be disabled because iptables legacy does not have it.
Since you also need to enable all jails manually, also add these two files :
| setup | |
|---|---|
The given ip is that from transip, add more if you need. Then restart fail2ban and monitor the log file :
| tail fail2ban log | |
|---|---|
permanent bans
This is actually implemented in version 0.9 and debian still offers 0.8 But to update this, you might end up with a stack trace with "Broken pipe" after running fail2ban-client.
Do not forget to stop fail2ban during the installation step, it is probably what causes a stack trace dump after every fail2ban-client call.
The way to do this is (0.9.4 was stable at the time) :
| permanent bans | |
|---|---|
Now it should be alright and a database file should be created at /var/lib/fail2ban/fail2ban.sqlite3
ignore ip's
Note that you can except your own ip by adding to the line ignoreip in /etc/fail2ban/jail.conf :
| exclude your own ip | |
|---|---|
But use a space as separator, if you use a comma, fail2ban will just not work!
Stopping all jails message
In the /var/log/fail2ban.log file
This was what happened on 20sep 2017 on the Contabo machine. It seemed like a hack where someone flush all bans for fail2ban. First the message about Stopping all jails followed by hundreds of 'Unban' lines flushing all bans built up.
However.. checking the same time in /var/log/syslog pointed out that someone had pushed power off. It was NOT me so there must have been a fuckup at Contabo, maybe they stopped it because of attacks.
Anyway, stopping the machine does have the effect seen : Stopping all Jails followed by a list of Unban messages. It does not have to be a hack !
eval
eval has no man page, but
eval: eval [arg ...]
Execute arguments as a shell command.
Combine ARGs into a single string, use the result as input to the shell,
and execute the resulting commands.
Exit Status:
Returns exit status of command or success if command is null.
So it evaluates strings into a command. An example :
The main difference is between line #2 and line #5. eval does not only construct $foo, but evaluates it's contents.
cal or gcal
Since bullseye, cal was removed as a standard tool. Instal gcal, it seems to do exactly the same.