Hello,
Suricata-IDS has any conflict with the Fail2ban? How can I sure?
Thanks.
Hi Jason,
Suricata (in IDS mode) processes packets off a SPAN or tap port (usually). It’ll never transmit onto the network.
Suricata will generate alerts if the rules it’s provided with match the packets.
I’m not sure what you mean by “conflict” – could you describe your deployment scenario?
I installed and configure the Suricata-IDS via https://www.tecmint.com/setup-automatic-updates-for-centos-8/. I installed Fail2ban too and I want to know could Suricata-IDS have any conflict with Fail2ban? Make problem for each other.
My limited understanding of fail2ban is that it monitors the host’s files looking for logins.
Suricata monitors a network interface and analyzes packets that are received.
What’s your network topology look like? It sounds like both applications (Suricata, Fail2ban) are running on the same machine.
Does fail2ban monitor network traffic or just log files on the host?
Yes, they are running on a same host.
Fail2ban monitoring SSH log.
Unless you combine then in some way, there shouldn’t be any conflict. Both generate logs and unless you run IPS mode or use the Suricata logs to initiate any other actions it’s totally passive, so no reason to result in a conflict.
I configured Suricata-IDS via https://kifarunix.com/install-and-setup-suricata-on-centos-8/, then which mode is enabled?
Should be IDS mode.
\20 char
This mode doesn’t protect my server? If yes, then how can I change it to IPS mode?
Hi Jason,
The details will depend on your server specifics – here’s documentation to get started: https://suricata.readthedocs.io/en/suricata-5.0.3/setting-up-ipsinline-for-linux.html?highlight=ips
Thank you for your information.
My server connected to the internet directly and between the server and the internet no interface exist.
The tutorial use the iptables! My server using Firewalld!
Any idea?
There is no tutorial for firewalld, but underneath firewalld also uses iptables/netfilter. So I would look into the firewalld documentation how to achieve the required settings for IPS mode.
Can you show me a tutorial about it?
Hi Jason,
You’ll have to do some research…here’s one link which compares iptables and firewalld and shows how each can be configured.
https://www.unixmen.com/iptables-vs-firewalld/
I know, but the Suricata-IDS tutorial just show iptables. I don’t know how can I convert that iptables rules into the Firewalld!
Unfortunately there doesn’t seem to be much for examples on setting up NFQUEUE rules with firewalld. I’d suggest researching the firewall-cmd rich rules to see if it can be done. Or dropping firewalld and moving to iptables. I found a guide here on that: https://prolinuxhub.com/deploy-iptables-with-nat-and-suricata-ids-on-centos-7/
The other option is to continue using firewalld, but execute our documented iptables commands after firewalld is loaded during the boot process. A quick test shows me it should work, but I don’t use firewalld, so can’t be 100% sure.
So you could try this… Create /etc/firewalld/direct.xml to look like:
<?xml version="1.0" encoding="utf-8"?>
<direct>
<rule ipv="ipv4" table="filter" chain="INPUT" priority="0">-j NFQUEUE --queue-bypass</rule>
<rule ipv="ipv4" table="filter" chain="OUTPUT" priority="0">-j NFQUEUE --queue-bypass</rule>
</direct>
Note the --queue-bypass. This allows packets through if Suricata is not running. If you want packets to be dropped when Suricata is not running then remove that option.
After creating this file reload with firewall-cmd --reload.
This was tested on a CentOS 8 default install with Suricata installed from EPEL. The command line was simply suricata -q0.
Why not improve Suricata-IDS documents? Most distros using Firewalld or UFW!
Thank you.
Can you explain the xml file for me?
I should run Suricata-IDS in IPS mode manually via “suricata -q0” command?
I feel like firewalld doesn’t give you as much control as many people want to have when running IPS type setups, so they often fall back to iptables. I know in my own home router I can’t accomplish what I’ve used for years with firewalld even though I’ve tried. So it will take someone to really deep dive into it and see. What I provided seems to be work, but I can’t comment on its correctness or how it interacts with the existing firewalld rules.