Skip to content

Enabling fail2ban module#1407

Merged
brianmcgillion merged 1 commit intotiiuae:mainfrom
enesoztrk:feat/fail2ban
Sep 17, 2025
Merged

Enabling fail2ban module#1407
brianmcgillion merged 1 commit intotiiuae:mainfrom
enesoztrk:feat/fail2ban

Conversation

@enesoztrk
Copy link
Copy Markdown
Contributor

@enesoztrk enesoztrk commented Sep 15, 2025
edited
Loading

Description of Changes

  • Fail2Ban is enabled on all VMs to protect against SSH brute-force attacks.
  • A custom jail is configured to redirect SSH connections from banned IPs to the ssh-tarpit server on the net-vm, slowing down attackers by deliberately delaying their connections.
  • On all other VMs, packets from banned IPs are dropped immediately.
  • VMs allow a maximum of 5 ICMP request packets (ping) in a single burst per minute for each IP address.
  • SSH sync flood protection has been activated for every VM. ( maximum 30 new ssh connection requests/minute)

Type of Change

  • New Feature
  • Bug Fix
  • Improvement / Refactor

Related Issues / Tickets

Checklist

  • Clear summary in PR description
  • Detailed and meaningful commit message(s)
  • Commits are logically organized and squashed if appropriate
  • Contribution guidelines followed
  • Ghaf documentation updated with the commit - https://tiiuae.github.io/ghaf/
  • Author has run make-checks and it passes
  • All automatic GitHub Action checks pass - see actions
  • Author has added reviewers and removed PR draft status

Testing Instructions

Applicable Targets

  • Orin AGX aarch64
  • Orin NX aarch64
  • Lenovo X1 x86_64
  • Dell Latitude x86_64
  • System 76 x86_64

Installation Method

  • Requires full re-installation
  • Can be updated with nixos-rebuild ... switch
  • Other:

Test Steps To Verify:

Scenario - 1 (External Network - Netvm)

  1. Regression test for network-related services
  2. Check endless-go in net-vm whether it is activated with systemctl status endless-go
  3. Attempt to establish an SSH connection, but enter the password incorrectly more than three times.
  4. Check the blacklist on the net-vm by using the command ipset list f2b-blacklist. You should see the attacker's IP address listed in the members section.
  5. Try to make an SSH connection again from the attacker's device. The connection should hang.

Scenario - 2 (VM - VM)

  1. Attempt to establish a VM-to-VM SSH connection, such as comms-vm to gui-vm, but enter the password incorrectly more than three times.
  2. Check the blacklist on the gui-vm by using the command ipset list f2b-blacklist. You should see the comms-vm IP address listed in the members section.
  3. Try to make an SSH connection again from the comms-vm to gui-vm. The connection should hang.
  4. You can also try other combinations. (chrome-vm to admin-vm)

Scenario - 3 (SSH sync flood protection, Icmp flood protection)

  1. Ping the VMs; however, you cannot send more than five pings in a single burst. You can ping them once every minute.
  2. Launch an attack(VM-to-VM or External Network-to-Netvm) using the command hping3 -S -p 22 -i u10000 -c 35 ${VmIp}
  3. Check the blacklist on the victim VM with ipset list BLACKLIST. You should see attacker's IP in the members section.

Note: The device under test must be in its default state before each test scenario.(Can be rebooted)

@enesoztrk enesoztrk marked this pull request as ready for review September 16, 2025 07:29
@brianmcgillion brianmcgillion added the Needs Testing CI Team to pre-verify label Sep 16, 2025
Copilot AI reviewed Sep 16, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR enables fail2ban protection across all VMs in the Ghaf framework to protect against SSH brute-force attacks. The implementation includes a custom jail configuration that redirects SSH connections from banned IPs to an ssh-tarpit server on the net-vm, deliberately slowing down attackers, while other VMs drop packets from banned IPs immediately.

Key changes include:

  • Integration of fail2ban module with configurable SSH jail and firewall marking
  • SSH tarpit service enhancement with firewall mark support and custom action configuration
  • Rate limiting for ICMP requests (5 pings per minute per IP) and SSH connections (30 new connections per minute)

Reviewed Changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
modules/common/security/fail2ban.nix New fail2ban module with custom SSH jail configuration and iptables-ipset-mark action
modules/common/security/ssh-tarpit/default.nix Enhanced ssh-tarpit with configurable firewall marks and fail2ban integration
modules/common/security/default.nix Added fail2ban module to security imports
modules/development/ssh.nix Added SSH flood protection with rate limiting rules
modules/microvm/sysvms/*.nix Enabled fail2ban on all system VMs (netvm, guivm, audiovm, adminvm)
modules/microvm/appvm.nix Enabled fail2ban on application VMs
modules/common/firewall/firewall.nix Enhanced ICMP rate limiting per IP and conditional firewall marking
tests/firewall/default.nix Added fail2ban and ssh-tarpit to firewall tests

vunnyso
vunnyso requested changes Sep 16, 2025
View reviewed changes
@enesoztrk
Enabling fail2ban module
2628646 
* Fail2Ban is enabled on all VMs to protect against SSH brute-force attacks.
* A custom jail is configured to redirect SSH connections from banned IPs to the ssh-tarpit server on the net-vm, slowing down attackers by deliberately delaying their connections.
* On all other VMs, packets from banned IPs are dropped immediately.
* VMs allow a maximum of 5 ICMP request packets (ping) in a single burst per minute for each IP address.
* SSH sync flood protection has been activated for every VM. ( maximum 30 new ssh connection requests/minute)

Signed-off-by: Enes Öztürk <enes.ozturk@unikie.com>
@milva-unikie
Copy link
Copy Markdown

milva-unikie commented Sep 17, 2025

Tested on Darter Pro and Orin-AGX (new images)

  • All scenarios work as described
  • No issues with network
  • More extensive automated BAT test sets pass

@milva-unikie milva-unikie added Tested on Orin AGX This PR has been tested on NVIDIA Jetson AGX Orin Tested on System76 and removed Needs Testing CI Team to pre-verify labels Sep 17, 2025
@enesoztrk enesoztrk requested a review from vunnyso September 17, 2025 08:58
@brianmcgillion brianmcgillion merged commit f4ab7bb into tiiuae:main Sep 17, 2025
28 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@vunnyso vunnyso vunnyso approved these changes

@brianmcgillion brianmcgillion Awaiting requested review from brianmcgillion

@mbssrc mbssrc Awaiting requested review from mbssrc

@gngram gngram Awaiting requested review from gngram

Assignees

No one assigned

Labels

Tested on Orin AGX This PR has been tested on NVIDIA Jetson AGX Orin Tested on System76

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@enesoztrk @milva-unikie @vunnyso @brianmcgillion