Fail2ban on Cumulus Linux

  • 1
  • Question
  • Updated 1 year ago
The title pretty much explains it, but I was wondering the possibility of using Fail2ban on Cumulus Linux. I pretty much use this on all servers I deploy to protect against attacks. 
Would there be any reason the use of fail2ban on Cumulus Linux would be discouraged either for a specific reason or there is a potential to use the current toolbox to emulate fail2ban or even achieve a better level of protection?
Any thoughts or comments would be greatly appreciated.
Photo of Alan Dobinson

Alan Dobinson

  • 102 Points 100 badge 2x thumb

Posted 1 year ago

  • 1
Photo of Scott Suehle

Scott Suehle, Alum

  • 3,772 Points 3k badge 2x thumb
Yes you can use Fail2Ban on Cumulus. This is not something we have test cases with but there is no reason you could not use it.
Photo of Eric Pulvino

Eric Pulvino, Official Rep

  • 3,868 Points 3k badge 2x thumb
The one caveat here is that the rules are not hardware accelerated. With fail2ban, new rules are installed by iptables directly instead of calling cl-acltool to install them into hardware. As a result, the rules will only protect the software control plane and could still be overwhelmed in a DDos scenario as the hardware will forward all bad traffic to the control plane for rejection. I thought about writing a plugin for fail2ban to do the right thing on Cumulus but have not gotten around to it. Using Fail2ban as is will still offer some additional protection though.
Photo of Alan Dobinson

Alan Dobinson

  • 102 Points 100 badge 2x thumb
This sounds all very positive, I would definitely be interested if a plugin were created for it to work with the Cumulus system. I did have a look at installing this briefly however after an apt update and apt-get install the package is not found. The top answer when the package cannot be found is to add repositories see here:

I am slightly wary about messing with the repositories, but presumably by adding these repositories I will not cause any issue to existing packages when an update or similar occurs?

My current /etc/apt/sources.list

deb CumulusLinux-3 cumulus upstream
deb-src CumulusLinux-3 cumulus upstream

deb CumulusLinux-3-security-updates cumulus upstream
deb-src CumulusLinux-3-security-updates cumulus upstream

deb CumulusLinux-3-updates cumulus upstream
deb-src CumulusLinux-3-updates cumulus upstream

#deb CumulusLinux-3-early-access cumulus
#deb-src CumulusLinux-3-early-access cumulus

# Currently under construction
#deb CumulusLinux-3-marketplace commercial community
Photo of Dave Olson

Dave Olson, MTS

  • 1,010 Points 1k badge 2x thumb
There are some concerns internally about using fail2ban, because of it's interaction with our ACL's.  When used only for the software plane, it should work with no problems, as Eric explained.  There might be side effects, however.

As far as adding the upstream debian jessie repo to your sources.list or as a file in /etc/apt/sources.list.d, it shouldn't cause problems, but you do need to be careful to not replace cumulus-modified packages with an upstream version.   You can add it, and leave it commented out except for the times you are explictly installing an upstream debian package, to reduce the chance of problems.
Photo of Alan Dobinson

Alan Dobinson

  • 102 Points 100 badge 2x thumb
Just an update. I now have this installed. Anyone else interested in the same I needed to add the following to my /etc/apt/sources.list

deb jessie main contrib non-free
deb-src jessie main contrib non-free

I then did an update
sudo apt-get update

I was then able to install fail2ban
sudo apt-get install fail2ban

I then changed my /etc/apt/sources.list file to comment out the two repositories 

#deb http://httpredir.debian&a... jessie main contrib non-free
#deb-src jessie main contrib non-free

I then did one final update
sudo apt-get update