{"id":231,"date":"2025-03-06T19:05:52","date_gmt":"2025-03-06T18:05:52","guid":{"rendered":"https:\/\/sensimedia.org\/?p=231"},"modified":"2025-03-07T08:44:20","modified_gmt":"2025-03-07T07:44:20","slug":"fail2ban-with-dell-enterprise-sonic","status":"publish","type":"post","link":"https:\/\/sensimedia.org\/?p=231","title":{"rendered":"Fail2BAN with Dell Enterprise SONiC"},"content":{"rendered":"

<\/a> \u00a0<\/p>\n

SONiC with Fail2Ban Container<\/h1>\n

Fail2Ban offer a security enforcement to protect against malicious attack based on port\/services identification and brute force authentication.<\/p>\n

Disclaimer<\/h2>\n

The Fail2ban is a free software, developed and maintained by the open-source community. It falls under the terms of the GNU General Public License as published by the Free Software Foundation. DELL do not provide any support related to the Fail2ban software.<\/p>\n

<\/a>The Goal<\/h2>\n

To reduce the risk of brute force attack over SSH (Secure Shell) or a REST <\/a>API, Fail2Ban can be used to protect against multiples fail authentication based on bad login\/password. Fail2ban uses iptables and a specific table to manage a dynamic filtering.<\/p>\n

<\/a>About Fail2Ban and SONiC<\/h2>\n

Enterprise SONiC provides an audit file (located in \/var\/log\/audit.log<\/em>) that logs all the changes and all the events with an associated flag (Warning, Failed, Success)<\/p>\n

Fail2ban parses log files and bans <\/a>IPs that show signs of the malicious behavior — too many password failures, seeking for exploits, etc. <\/a>Generally, Fail2Ban is used to update iptables rules to reject the malicious IP addresses for a specified amount of time, although any other arbitrary action (like sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (Apache, courier, ssh, etc).<\/p>\n

Fail2Ban can reduce the rate of incorrect authentications attempts, however it cannot eliminate the risk associated with weak authentication.<\/p>\n

<\/a>About this whitepaper<\/h2>\n

This document describes an example of a typical and basic configuration of the fail2ban container from the Docker Hub but a lot of variation in term of rule and usage are possible. We will see how to add local rules to parse the audit log to identifying SSH login failures and ban the IP source from where the failures come. Fail2ban allows to define some variables as max failures, time to ban, delay before unban, identify recursive request and some other capabilities. If you need further configuration information, the fail2ban wiki is accessible on GitHub at https:\/\/github.com\/fail2ban\/fail2ban\/wiki<\/a>.<\/p>\n

The process installation was successfully test with:<\/p>\n\n\n\n
\n

Dell Enterprise SONiC<\/p>\n<\/td>\n

\n

3.5.0<\/p>\n

4.0.5<\/p>\n

4.1<\/p>\n

4.4.x<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

<\/a>Iptables, Nftables and Enterprise SONiC<\/h2>\n

Entreprise SONiC 4.0.5 and later is compiled with nf_table support whereas SONiC 3.5 doesn\u2019t not have this option enabled so some differences exist between those two versions in term of filtering behavior.<\/p>\n

<\/p>\n

Nftables is a recent implementation of Linux Kernel packet classification providing more flexibility and native NAT (Network Address Translation) support as well as a Netlink API for third-party applications. For further detail on nftables check the Wikipage of the project (What is nftables? – nftables wiki<\/a>)<\/p>\n

By default, Fail2Ban uses the legacy mode of iptables but does support nftables so depending on the SONiC Release Fail2ban rules visibility would be different :<\/em><\/p>\n