
Show HN: Fail2web, a fail2ban GUI - Sean-Der
https://github.com/Sean-Der/fail2web
======
Sean-Der
fail2ban is one the most under appreciated tools on small to medium Unix
servers. I was first introduced to it when administering some web facing
Asterisk servers (FreePBX) and was quickly impressed with its
effectiveness/simplicity.

However, one of the issues I ran into was that people in the field were really
frustrated by it on a day to day basis. They were accidentally getting
themselves banned, and instead of unbanning themselves they would just turn
fail2ban off all together. Some people didn't feel comfortable using fail2ban-
client and others just felt like it took to much time.

And so fail2web was born! Fail2web gives you basic fail2ban administration
abilities. You can manage bannedIPs, fail regexes and a few other per jail
settings, with a lot more stuff planned in the future.

While building this I also ended up building a Go library that abstract aways
fail2ban communication ([https://github.com/Sean-
Der/fail2go](https://github.com/Sean-Der/fail2go)) which is used by the REST
server that powers fail2web ([https://github.com/Sean-
Der/fail2rest](https://github.com/Sean-Der/fail2rest)). The fail2rest server
could also be used for other cool projects, I am in the process of using it to
distribute bans across multiple servers and using it for health checks.

The tech stack for this project also was a lot of fun using. For this project
I am communicating with a long running Python process that exposes information
via a socket that gives pickled output so I used the awesome library
([https://github.com/kisielk/og-rek](https://github.com/kisielk/og-rek)) I
also had a lot of fun building the frontend in angularjs, angular-ui with
browserify. In the end I was happy with all the tools I picked.

thanks!

~~~
gingerlime
Thanks for making it. I'd like to give it a try some time. I certainly share
your feeling about the awesomeness of fail2ban, as well as the slight
awkwardness of interacting with it (I tried a couple of things with the
client, but it felt rather awkward somehow. I'm not entirely sure why).

As a developer, the stack you're describing sounds great. As a sysadmin /
devops, I'd be a little careful installing something with this level of
component complexity on top of fail2ban. Ideally you'd want something very
lean with as few moving parts as possible. (after all, if something goes
wrong, you can end up locking yourself or your server).

~~~
Sean-Der
I defiantly hear your concern about there being lots of moving parts. I
thought about having one monolithic platform that you could drop and run to
help deployment ease. But after spending some time with Kibana and Elastic
Search lately I was really inspired by having things decoupled, once you have
that flexibility you can do lots of cool things.

------
akerl_
Exactly what fail2ban needed: a web UI for people to exploit.

If I could eliminate any Linux service, it would probably be fail2ban. As an
SSH security measure, it's more than useless. If your SSH credentials can be
brute forced, that's the problem, and it's easy to fix. Fail2ban just gives
somebody a way to lock you out of your own system or to pin a core on your
system by overloading it.

If you're trying to add security layers to SSH, here are some suggestions for
doing so:

* fwknop ([http://www.cipherdyne.org/fwknop/](http://www.cipherdyne.org/fwknop/)) -- Single Packet Auth based on GPG

* google_authenticator ([https://code.google.com/p/google-authenticator/](https://code.google.com/p/google-authenticator/)) -- PAM support for TOTP

* knockknock ([https://github.com/moxie0/knockknock](https://github.com/moxie0/knockknock)) -- Single Packet Auth using symmetric encryption

~~~
ChikkaChiChi
I thought Fail2Ban hooked directly into iptables? How would you get locked out
or overloaded?

I don't necessarily think Fail2Ban needed a GUI, but I guess I never thought
it was a "bad" thing?

~~~
akerl_
It uses iptables, but it detects things to block by reading log files, and
it's not exactly efficient in doing so. As such, if an attacker can pump lines
in (like by having their botnet SSH to your system), they can get it to spin a
core.

------
djengineerllc
So this looks like it will be pretty neat. I have it compiled and running. It
seems to be mostly working. I did run into some issues.

Like for instance, in the bundle.js file there is a line of code that has this
"$window.location.origin + '/config.json'"

the window.location.origin is not supported in IE. You may want to add
something like this to your javascript for IE support:

if (!window.location.origin) { window.location.origin =
window.location.protocol + "//" \+ window.location.hostname +
(window.location.port ? ':' \+ window.location.port: ''); }

Also, when I try to add an IP to ban, I am getting an error "Unable to get
property 'indexOf' of undefined or null reference".

After looking at it, it looks like I'm getting an empty IPList from the
fail2rest api.

So the code dies here "activeJail.data.IPList.indexOf(ipAddress) === -1" since
the IPList is null. Maybe I have something misconfigured for the fail2rest,
but I'm am not currently sure yet.

Also, the adding and deleting of regexes does work fine! :)

UPDATE: Looks like my updates are not working, but the reading of the config
file is working. I'm thinking it might be something with my fail2rest...

------
bhhaskin
Nice! I will have to give it a go sometime. unbanning from fail2ban is always
a pain.

