LibreELEC, linuxserver/letsencrypt and fail2ban

librero · February 11, 2020 at 8:51 PM

Doesn't seem to work out-of-the-box with VERSION="9.0.2" since the iptables used in LibreElec is missing the 'multiport' extension used by default with the supplied jail.conf

Have not checked if the issue is still present in the latest version 9.2 or other architectures.

Code

# cat /etc/os-release
NAME="LibreELEC"
VERSION="9.0.2"
ID="libreelec"
VERSION_ID="9.0"
PRETTY_NAME="LibreELEC (official): 9.0.2"
HOME_URL="https://libreelec.tv"
BUG_REPORT_URL="https://github.com/LibreELEC/LibreELEC.tv"
BUILD_ID="301789032e264eac90589cdf0c094c557cec43fb"
OPENELEC_ARCH="RPi2.arm"
LIBREELEC_ARCH="RPi2.arm"
LIBREELEC_BUILD="official"
LIBREELEC_PROJECT="RPi"
LIBREELEC_DEVICE="RPi2"

# iptables -V
iptables v1.8.2 (legacy)

# lsmod | grep x_tables
x_tables               24576  8 ipt_REJECT,xt_nat,ip_tables,iptable_filter,xt_tcpudp,ipt_MASQUERADE,xt_addrtype,xt_conntrack

# cat /proc/net/ip_tables_matches
addrtype
conntrack
conntrack
conntrack
udplite
udp
tcp
addrtype
icmp

Display More

(Should be the same as # docker exec -it docker.linuxserver.letsencrypt cat /proc/net/ip_tables_matches)

The 'multiport' extension is missing, so by default fail2ban won't be able to setup the filters.

~/.kodi/userdata/addon_data/docker.linuxserver.letsencrypt/config/log/fail2ban/fail2ban.log:

Code

2020-02-11 18:08:36,083 fail2ban.utils          [359]: #39-Lev. 767fd320 -- exec: iptables -w -N f2b-nginx-botsearch
iptables -w -A f2b-nginx-botsearch -j RETURN
iptables -w -I INPUT -p tcp -m multiport --dports http,https -j f2b-nginx-botsearch
2020-02-11 18:08:36,085 fail2ban.utils          [359]: ERROR   767fd320 -- stderr: 'iptables: Chain already exists.'
2020-02-11 18:08:36,085 fail2ban.utils          [359]: ERROR   767fd320 -- stderr: "iptables v1.8.3 (legacy): Couldn't load match `multiport':No such file or directory"

A solution is to change the default action in ~/.kodi/userdata/addon_data/docker.linuxserver.letsencrypt/config/fail2ban/action.d/pf.conf
from multiport to allports:

actiontype = <multiport>

can be set to:

actiontype = <allports>

DON'T MODIFY pf.conf, just copy it to pf.local and make the changes there instead, which will override the default.

Also add to each jail in ~/.kodi/userdata/addon_data/docker.linuxserver.letsencrypt/config/fail2ban/jail.local:

action = iptables-allports

Test it adding some bot ip to ban with:

Code

# docker exec -it docker.linuxserver.letsencrypt fail2ban-client set nginx-botsearch banip 106.12.5.21
# docker exec -it docker.linuxserver.letsencrypt fail2ban-client set nginx-botsearch banip 111.229.116.157

And check that now the iptables rules are created:

Code

# docker exec -it docker.linuxserver.letsencrypt iptables -L -nv --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        4   219 f2b-nginx-botsearch  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain f2b-nginx-botsearch (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 REJECT     all  --  *      *       111.229.116.157      0.0.0.0/0            reject-with icmp-port-unreachable
2        0     0 REJECT     all  --  *      *       106.12.5.21          0.0.0.0/0            reject-with icmp-port-unreachable
3        4   219 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Display More

Other issue that found is that the linuxserver/letsencrypt container seems to be missing the pfctl utility used with other actions.

Code

2020-02-11 19:29:14,570 fail2ban.utils          [360]: #39-Lev. 767d9638 -- exec: echo "table <f2b-nginx-http-auth> persist counters" | pfctl -a f2b/nginx-http-auth -f-
port="http,https"; if [ "$port" != "" ] && case "$port" in \{*) false;; esac; then port="{$port}"; fi
echo "block quick proto tcp from <f2b-nginx-http-auth> to any" | pfctl -a f2b/nginx-http-auth -f-
2020-02-11 19:29:14,574 fail2ban.utils          [360]: ERROR   767d9638 -- stderr: '/bin/sh: pfctl: not found'
2020-02-11 19:29:14,575 fail2ban.utils          [360]: ERROR   767d9638 -- stderr: '/bin/sh: pfctl: not found'
2020-02-11 19:29:14,576 fail2ban.utils          [360]: ERROR   767d9638 -- returned 127
2020-02-11 19:29:14,576 fail2ban.utils          [360]: INFO    HINT on 127: "Command not found".  Make sure that all commands in 'echo "table <f2b-nginx-http-auth> persist counters" | pfctl -a f2b/nginx-http-auth -f-\nport="http,https"; if [ "$port" != "" ] && case "$port" in \\{*) false;; esac; then port="{$port}"; fi\necho "block quick proto tcp from <f2b-nginx-http-auth> to any" | pfctl -a f2b/nginx-http-auth -f-' are in the PATH of fail2ban-server process (grep -a PATH= /proc/`pidof -x fail2ban-server`/environ). You may want to start "fail2ban-server -f" separately, initiate it with "fail2ban-client reload" in another shell session and observe if additional informative error messages appear in the terminals.
2020-02-11 19:29:14,577 fail2ban.actions        [360]: ERROR   Failed to start jail 'nginx-http-auth' action 'pf': Error starting action Jail('nginx-http-auth')/pf
</f2b-nginx-http-auth></f2b-nginx-http-auth></f2b-nginx-http-auth></f2b-nginx-http-auth>

**aptalca** · February 12, 2020 at 2:37 AM

Good find and great write up. Perhaps the multiport extension can be added to Libreelec.

I'll look into the pfctl issue, but the nginx http auth jail is working fine on other systems

librero · February 12, 2020 at 10:42 AM

Quote from aptalca

I'll look into the pfctl issue, but the nginx http auth jail is working fine on other systems

WIth the default action seems that isn't used. That it was missing I think was found when I tried:

banaction = pf[actiontype=<allports>]

Not sure if currently packet filter can even be enabled. So other more advanced custom filters using pf directly won't be possible either.

From action.d/pf.conf:

Code

# we don't enable PF automatically; to enable run pfctl -e 
# or add `pf_enable="YES"` to /etc/rc.conf (tested on FreeBSD)

**aptalca** · February 12, 2020 at 4:56 PM

Quote from librero
WIth the default action seems that isn't used. That it was missing I think was found when I tried:

banaction = pf[actiontype=<allports>]

Not sure if currently packet filter can even be enabled. So other more advanced custom filters using pf directly won't be possible either.

From action.d/pf.conf:
Code
# we don't enable PF automatically; to enable run pfctl -e 
# or add `pf_enable="YES"` to /etc/rc.conf (tested on FreeBSD)

Afaik pfctl is an openbsd tool. I doubt it's available on linux.