Hacker News new | past | comments | ask | show | jobs | submit login
Show HN: Fail2web, a fail2ban GUI (github.com)
48 points by Sean-Der on June 26, 2014 | hide | past | web | favorite | 14 comments

fail2ban is one the most under appreciated tools on small to medium Unix servers. I was first introduced to it when administering some web facing Asterisk servers (FreePBX) and was quickly impressed with its effectiveness/simplicity.

However, one of the issues I ran into was that people in the field were really frustrated by it on a day to day basis. They were accidentally getting themselves banned, and instead of unbanning themselves they would just turn fail2ban off all together. Some people didn't feel comfortable using fail2ban-client and others just felt like it took to much time.

And so fail2web was born! Fail2web gives you basic fail2ban administration abilities. You can manage bannedIPs, fail regexes and a few other per jail settings, with a lot more stuff planned in the future.

While building this I also ended up building a Go library that abstract aways fail2ban communication (https://github.com/Sean-Der/fail2go) which is used by the REST server that powers fail2web (https://github.com/Sean-Der/fail2rest). The fail2rest server could also be used for other cool projects, I am in the process of using it to distribute bans across multiple servers and using it for health checks.

The tech stack for this project also was a lot of fun using. For this project I am communicating with a long running Python process that exposes information via a socket that gives pickled output so I used the awesome library (https://github.com/kisielk/og-rek) I also had a lot of fun building the frontend in angularjs, angular-ui with browserify. In the end I was happy with all the tools I picked.


Thanks for making it. I'd like to give it a try some time. I certainly share your feeling about the awesomeness of fail2ban, as well as the slight awkwardness of interacting with it (I tried a couple of things with the client, but it felt rather awkward somehow. I'm not entirely sure why).

As a developer, the stack you're describing sounds great. As a sysadmin / devops, I'd be a little careful installing something with this level of component complexity on top of fail2ban. Ideally you'd want something very lean with as few moving parts as possible. (after all, if something goes wrong, you can end up locking yourself or your server).

I defiantly hear your concern about there being lots of moving parts. I thought about having one monolithic platform that you could drop and run to help deployment ease. But after spending some time with Kibana and Elastic Search lately I was really inspired by having things decoupled, once you have that flexibility you can do lots of cool things.

Exactly what fail2ban needed: a web UI for people to exploit.

If I could eliminate any Linux service, it would probably be fail2ban. As an SSH security measure, it's more than useless. If your SSH credentials can be brute forced, that's the problem, and it's easy to fix. Fail2ban just gives somebody a way to lock you out of your own system or to pin a core on your system by overloading it.

If you're trying to add security layers to SSH, here are some suggestions for doing so:

* fwknop (http://www.cipherdyne.org/fwknop/) -- Single Packet Auth based on GPG

* google_authenticator (https://code.google.com/p/google-authenticator/) -- PAM support for TOTP

* knockknock (https://github.com/moxie0/knockknock) -- Single Packet Auth using symmetric encryption

Add http://www.heiho.net/pam_shield/ and http://www.snafu.priv.at/mystuff/pam_recent.c to that list.

I use use some iptables voodoo with them to auto-whitelist on successful auth and blacklist on failed auth attempts.

Three things to note about google authenticator:

1. ssh keys bypass it unless you have a patched version of OpenSSH with multiauth

2. It can be configured to have you append your one time code to your password for interop with things that can't handle keyboard-interactive auth

3. It is self contained and doesn't use any google services to function.

With regard to #1, newer OpenSSH supports AuthenticationMethods, which lets you chain keys and PAM.

Ah, thanks. For a while you had to apply a patch to get that, I wasn't aware it'd be merged.

If you are in a real production environment you shouldn't be opening up SSH to the world, most people that are accessing SSH have enough know how tunnel through a VPN. So for most of my uses this is a non-issue.

fail2web for me is used on Asterisk servers to watch HTTP auth and SIP. Most of the customers I work with have very strict corporate IT policies, they have to review every piece of hardware and most of the time I can only get an ATA approved. So I drop an ATA on their network with SIP/TLS and ZRTP and they setup the client. However, I don't want to make the assumption that their network is 100% safe, so fail2ban serves me well here.

Also to your point of fail2ban being overloaded, this has never happened to me. I see scans/brute forces all the time add after five fails I usually block the small subnet, and the problem goes away.

All of the solutions you posted are 100% a no go for the problems I am trying to solve.

Yes, the reality is that "baseball" is a bad password, and ssh as root is a bad idea but getting auth.log spammed into oblivion is also a bummer. It feels like a web GUI would help less experienced sysadmins not just apt-get remove fail2ban when they get themselves locked out for the first time.

root is no worse from a security standpoint than any other user. If knowing your username helps somebody guess your password or bruteforce your key, the username isn't the problem.

Using multiple users is great from a compartmentalization / user_management standpoint, but it doesn't protect against brute-force.

I thought Fail2Ban hooked directly into iptables? How would you get locked out or overloaded?

I don't necessarily think Fail2Ban needed a GUI, but I guess I never thought it was a "bad" thing?

It uses iptables, but it detects things to block by reading log files, and it's not exactly efficient in doing so. As such, if an attacker can pump lines in (like by having their botnet SSH to your system), they can get it to spin a core.

So this looks like it will be pretty neat. I have it compiled and running. It seems to be mostly working. I did run into some issues.

Like for instance, in the bundle.js file there is a line of code that has this "$window.location.origin + '/config.json'"

the window.location.origin is not supported in IE. You may want to add something like this to your javascript for IE support:

if (!window.location.origin) { window.location.origin = window.location.protocol + "//" + window.location.hostname + (window.location.port ? ':' + window.location.port: ''); }

Also, when I try to add an IP to ban, I am getting an error "Unable to get property 'indexOf' of undefined or null reference".

After looking at it, it looks like I'm getting an empty IPList from the fail2rest api.

So the code dies here "activeJail.data.IPList.indexOf(ipAddress) === -1" since the IPList is null. Maybe I have something misconfigured for the fail2rest, but I'm am not currently sure yet.

Also, the adding and deleting of regexes does work fine! :)

UPDATE: Looks like my updates are not working, but the reading of the config file is working. I'm thinking it might be something with my fail2rest...

Nice! I will have to give it a go sometime. unbanning from fail2ban is always a pain.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact