Long time OpenSUSE user, currently moving to Leap 15.
**1. GOAL: **Move to Fail2Ban + FirewallD combo for secure VPS instance login from any location.
2. SITUATION: From home office (or anywhere with additional configuration) update a dynamic DNS service provider with new local IP address. Cloud instance firewall is updated by whitelisting the new IP associated with the fixed domain at the DNS service. This is the ONLY access to the VPS. Typically one, or sometimes a few colleagues, will be able to access. Access is via SSH with a key etc., typically initiated from Windows via PuTTY etc. Dynamic IP is communicated to the DNS service by local host firewall (IPCop or Pfsense etc.)
3. CURRENT SOLUTION SUCCESS: Using CFS Firewall (“ConfigServer and Security Firewall”) on OpenSUSE 42 series, which has a very easy-to-understand dynamic DNS configuration, which updates the inbound whitelist. The update through the whole chain happens in seconds on any IP address change. Has never failed in three years. And system seems otherwise locked down.
4. NEW LEAP DEPLOYMENT: CFS cannot be easily deployed on new OpenSUSE Leap version (long story, CFS not updated for configuration details). Therefore, why no go with standard out-of-the-box?
5. SUCCESS OF NEW DEPLOYMENT: firewalld is deployed, with a hard-coded single IP address in the trusted zone, and the updated new port number. The login via SSH with key works perfectly. And the firewall is locking down everything else. So far, so good.
6. WHAT FAIL2BAN IS SUPPOSED TO DO: Fail2Ban makes it possible to whitelist a domain! This is really nice. Add in the DNS service domain host name, just as with CFS, and then Fail2Ban is supposed to dynamically update the associated IP address with firewalld – and apparently the interface between the two comes with the install.
7. PROBLEM WITH NEW DEPLOYMENT: New IP addresses can be manually added to firewallD. But so far Fail2Ban does not dynamically do this.
**8. DOCUMENTATION? **I haven’t seen any documentation on the interface between fail2ban and firewalld. Everyone just says “it works”. More details would really help, especially for such an important set of products.
9. HOW IMPORTANT IS THIS USE CASE? The popularity of affordable VPS cloud instances is skyrocketing! And a huge number of home office users are of course on dynamic IP addresses. The ability to easily configure a cloud instance to ONLY accept connections from a small number of home office or mobile users would be HUGELY useful it seems.
10. PROOF: And we know it works really well – case in point is the OpenSUSE 48 version with CFS.
11. SUMMARY PROBLEM: Fail2Ban is not getting the updated IP address and pumping it into firewalld. I have not been able to find information on how this is supposed to work or any logs to read or settings to do. Fail2Ban as far as I know is correctly configured.
**ignorip=127.0.0.1 aaa.bbb.com **/ “aaa” etc. is the FQDN model /
**[sshd] **/ f2b will monitor inbound ssh /
port = 2221
**action = iptables-multiport **/ Not sure even about this line /
**12. POSSIBLE PROBLEMS, **perhaps either of following?
- Link between Fail2Ban and DNS service.
- Link between Fail2Ban and FirewallD.
Thanks for any suggestions!