LibreELEC, linuxserver/letsencrypt and fail2ban

  • Doesn't seem to work out-of-the-box with VERSION="9.0.2" since the iptables used in LibreElec is missing the 'multiport' extension used by default with the supplied jail.conf

    Have not checked if the issue is still present in the latest version 9.2 or other architectures. 

    (Should be the same as # docker exec -it docker.linuxserver.letsencrypt cat /proc/net/ip_tables_matches)

    The 'multiport' extension is missing, so by default fail2ban won't be able to setup the filters.

    ~/.kodi/userdata/addon_data/docker.linuxserver.letsencrypt/config/log/fail2ban/fail2ban.log:

    Code
    2020-02-11 18:08:36,083 fail2ban.utils          [359]: #39-Lev. 767fd320 -- exec: iptables -w -N f2b-nginx-botsearch
    iptables -w -A f2b-nginx-botsearch -j RETURN
    iptables -w -I INPUT -p tcp -m multiport --dports http,https -j f2b-nginx-botsearch
    2020-02-11 18:08:36,085 fail2ban.utils          [359]: ERROR   767fd320 -- stderr: 'iptables: Chain already exists.'
    2020-02-11 18:08:36,085 fail2ban.utils          [359]: ERROR   767fd320 -- stderr: "iptables v1.8.3 (legacy): Couldn't load match `multiport':No such file or directory"

    A solution is to change the default action in ~/.kodi/userdata/addon_data/docker.linuxserver.letsencrypt/config/fail2ban/action.d/pf.conf
    from multiport to allports:

    actiontype = <multiport>

    can be set to:

    actiontype = <allports>

    DON'T MODIFY pf.conf, just copy it to pf.local and make the changes there instead, which will override the default.

    Also add to each jail in ~/.kodi/userdata/addon_data/docker.linuxserver.letsencrypt/config/fail2ban/jail.local:

    action = iptables-allports

    Test it adding some bot ip to ban with:

    Code
    # docker exec -it docker.linuxserver.letsencrypt fail2ban-client set nginx-botsearch banip 106.12.5.21
    # docker exec -it docker.linuxserver.letsencrypt fail2ban-client set nginx-botsearch banip 111.229.116.157

    And check that now the iptables rules are created:

    Other issue that found is that the linuxserver/letsencrypt container seems to be missing the pfctl utility used with other actions.

    Code
    2020-02-11 19:29:14,570 fail2ban.utils          [360]: #39-Lev. 767d9638 -- exec: echo "table <f2b-nginx-http-auth> persist counters" | pfctl -a f2b/nginx-http-auth -f-
    port="http,https"; if [ "$port" != "" ] && case "$port" in \{*) false;; esac; then port="{$port}"; fi
    echo "block quick proto tcp from <f2b-nginx-http-auth> to any" | pfctl -a f2b/nginx-http-auth -f-
    2020-02-11 19:29:14,574 fail2ban.utils          [360]: ERROR   767d9638 -- stderr: '/bin/sh: pfctl: not found'
    2020-02-11 19:29:14,575 fail2ban.utils          [360]: ERROR   767d9638 -- stderr: '/bin/sh: pfctl: not found'
    2020-02-11 19:29:14,576 fail2ban.utils          [360]: ERROR   767d9638 -- returned 127
    2020-02-11 19:29:14,576 fail2ban.utils          [360]: INFO    HINT on 127: "Command not found".  Make sure that all commands in 'echo "table <f2b-nginx-http-auth> persist counters" | pfctl -a f2b/nginx-http-auth -f-\nport="http,https"; if [ "$port" != "" ] && case "$port" in \\{*) false;; esac; then port="{$port}"; fi\necho "block quick proto tcp from <f2b-nginx-http-auth> to any" | pfctl -a f2b/nginx-http-auth -f-' are in the PATH of fail2ban-server process (grep -a PATH= /proc/`pidof -x fail2ban-server`/environ). You may want to start "fail2ban-server -f" separately, initiate it with "fail2ban-client reload" in another shell session and observe if additional informative error messages appear in the terminals.
    2020-02-11 19:29:14,577 fail2ban.actions        [360]: ERROR   Failed to start jail 'nginx-http-auth' action 'pf': Error starting action Jail('nginx-http-auth')/pf
    </f2b-nginx-http-auth></f2b-nginx-http-auth></f2b-nginx-http-auth></f2b-nginx-http-auth>

    Edited 2 times, last by librero (February 11, 2020 at 9:07 PM).

  • Good find and great write up. Perhaps the multiport extension can be added to Libreelec.

    I'll look into the pfctl issue, but the nginx http auth jail is working fine on other systems

  • I'll look into the pfctl issue, but the nginx http auth jail is working fine on other systems

    WIth the default action seems that isn't used. That it was missing I think was found when I tried:

    banaction = pf[actiontype=<allports>]

    Not sure if currently packet filter can even be enabled. So other more advanced custom filters using pf directly won't be possible either.

    From action.d/pf.conf:

    Code
    # we don't enable PF automatically; to enable run pfctl -e 
    # or add `pf_enable="YES"` to /etc/rc.conf (tested on FreeBSD)
  • WIth the default action seems that isn't used. That it was missing I think was found when I tried:

    banaction = pf[actiontype=<allports>]

    Not sure if currently packet filter can even be enabled. So other more advanced custom filters using pf directly won't be possible either.

    From action.d/pf.conf:

    Code
    # we don't enable PF automatically; to enable run pfctl -e 
    # or add `pf_enable="YES"` to /etc/rc.conf (tested on FreeBSD)

    Afaik pfctl is an openbsd tool. I doubt it's available on linux.