fail2ban, Debian buster/10 and iptables vs nftables

Buster forces a move to nftables, unfortunately fail2ban thinks it’s still using iptables, so nothing gets blocked. To fix ….

Buster forces a move to nftables, unfortunately fail2ban thinks it’s still using iptables, so nothing gets blocked. To fix ….

(fail2ban in Buster also seems to require systemd – and no longer reads from e.g. /var/log/mail.log, which is a bit disappointing but oh well…)

After messing about trying to get nftables working – where trying to use the default /etc/nftables.conf file just results in an error a bit like :

/etc/nftables.conf:6:15-19: Error: Could not process rule: No such file or directory
chain input {

I gave up, and found the Debian Wiki Page which gives :

update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
update-alternatives --set arptables /usr/sbin/arptables-legacy
update-alternatives --set ebtables /usr/sbin/ebtables-legacy

Which now allows fail2ban to actualy block things (via /var/log/fail2ban.log etc).

Google Titan Security Key on Linux

Fixing udev so a Titan security key works on Linux …

When trying to use these new fangled things on Debian (Stretch) I needed to edit/create /etc/udev/rules.d/titan.rules and put in it something like the following – else nothing happens when you try using them …

KERNEL=="hidraw", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="096e", ATTRS{idProduct}=="0858", TAG+="uaccess", GROUP="plugdev", MODE="0660"
KERNEL=="hidraw", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="096e", ATTRS{idProduct}=="085b", TAG+="uaccess", GROUP="plugdev", MODE="0660"

This is based on e.g. the ‘dmesg’ output looking something like this for the bluetooth/usb variant :

usb 1-2: new full-speed USB device number 46 using xhci_hcd
usb 1-2: New USB device found, idVendor=096e, idProduct=085b, bcdDevice=35.02
usb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
usb 1-2: Product: ePass FIDO
usb 1-2: Manufacturer: FS

and this for the plain USB YubiKey like one :

usb 1-1: new full-speed USB device number 47 using xhci_hcd
usb 1-1: New USB device found, idVendor=096e, idProduct=0858, bcdDevice=46.00
usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
usb 1-1: Product: U2F
usb 1-1: Manufacturer: FT
hid-generic 0003:096E:0858.0014: hiddev3,hidraw4: USB HID v1.00 Device [FT U2F] on usb-0000:00:14.0-1/input0 

Alternatively, you can just download a udev config file from https://raw.githubusercontent.com/Yubico/libu2f-host/master/70-u2f.rules and stick it in /dev/udev/rules.d and run ‘udevadm control –reload

rsyslog filtering (with loggly)

Filtering rsyslog output being sent to loggly (e.g. from an apache imfile input)

If you’re a bit slow on the uptake, like me … this might help.

Basic logging to Loggly is simple enough –

References : https://www.loggly.com/docs/rsyslog-tls-configuration/ gets you to add in an omfwd action and a template with auth details in …

However, when you also want to mix in sending Apache logs to loggly, and at the same time want to suppress sending some lines ….. life becomes a bit harder.

Here’s what worked for me anyway… replace MAGIC_AUTH_TOKEN_HERE with your loggly auth details.

Place this in /etc/rsyslog.d/loggly.conf.

# Setup disk assisted queues
$WorkDirectory /var/spool/rsyslog # where to place spool files
$ActionQueueFileName fwdRule1     # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g       # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on     # save messages to disk on shutdown
$ActionQueueType LinkedList       # run asynchronously
$ActionResumeRetryCount -1        # infinite retries if host is down

#RsyslogGnuTLS
$DefaultNetstreamDriverCAFile /etc/rsyslog.d/keys/ca.d/logs-01.loggly.com_sha12.crt


$ActionSendStreamDriver gtls # use gtls netstream driver
$ActionSendStreamDriverMode 1 # require TLS
$ActionSendStreamDriverAuthMode x509/name # authenticate by hostname
$ActionSendStreamDriverPermittedPeer *.loggly.com

template(name="LogglyFormat" type="string"
string="< %pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% [MAGIC_AUTH_TOKEN_HERE tag=\"Syslog\"] %msg%\n"
)


module(load="imfile") 

# Apache file inputs :

input(type="imfile"
    File="/var/log/apache2/access.log"
    Tag="apache-access"
    Severity="info"
    Facility="local7")

input(type="imfile"
    File="/var/log/apache2/error.log"
    Tag="apache-error"
    Severity="error"
    Facility="local7")


# Format for Apache things.
$template LogglyFormatApache,"< %pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% [MAGIC_AUTH_TOKEN_HERE  tag=\"apache\" ] %msg%\n"

if ( $programname == 'apache-access' ) and not ( $msg contains "/something-to-skip/" ) then {
     action(
        type="omfwd" 
        protocol="tcp" 
        target="logs-01.loggly.com" 
        port="6514" template="LogglyFormatApache" 
        StreamDriver="gtls" 
        StreamDriverMode="1" 
        StreamDriverAuthMode="x509/name" 
        StreamDriverPermittedPeers="*.loggly.com"
    )
    stop
} 

# no further processing of apache-access things 
if ( $programname == 'apache-access') then stop

if ( $programname == 'apache-error' ) then {
         action(
                type="omfwd" 
                protocol="tcp" 
                target="logs-01.loggly.com" 
                port="6514" template="LogglyFormatApache" 
                StreamDriver="gtls" 
                StreamDriverMode="1" 
                StreamDriverAuthMode="x509/name" 
                StreamDriverPermittedPeers="*.loggly.com"
        )
    stop
} 

if ( $programname == 'apache-error') then stop

# Anything else ... sent to loggly.
action(
    type="omfwd" 
    protocol="tcp" 
    target="logs-01.loggly.com" 
    port="6514" template="LogglyFormatApache" 
    StreamDriver="gtls" 
    StreamDriverMode="1" 
    StreamDriverAuthMode="x509/name" 
    StreamDriverPermittedPeers="*.loggly.com"
)