Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Automate easyrule from remote host

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 3 Posters 4.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      akvadrat
      last edited by

      Hi!

      Currently I have a NAT:ed ssh server (linux) on my local LAN. The NAT:ing is done by pfsense, and I use the pfsense box as my "home router"/firewall.
      On the sshd-machine I want to run fail2ban to be able to block those nasty attackers filling up my auth.log. I could block them on the linux box with iptables but preferably I would like my pfsense machine to do this. So I figured I still run fail2ban on my ssh-machine (where the logs to be analyzed are) and then, in case of a break-in attempt, I use easyrule over ssh to block the ip. Like this for example:
      ssh admin@pfsensebox easyrule block wan 116.31.116.42
      But this didn't work since I suppose the menu that pops up when I log in as admin gets in the way of my command. Strangely it works if I use a command without arguments, like just 'ls'.
      Anyway, I have now created a second user with admin permissions but then I get this error instead:
      ssh otheradminuser@pfsensebox "easyrule block wan 116.31.116.42"

      Fatal error: Call to undefined function session_commit() in /etc/inc/config.lib.inc on line 552
      PHP ERROR: Type: 1, File: /etc/inc/config.lib.inc, Line: 552, Message: Call to undefined function session_commit()

      Any idea how to solve this?
      Also any ideas of a better solution to this? Can it be done in a more elegant way directly in pfsense? Btw, I also run a webserver on this sshd-machine and I also plan to let fail2ban analyze the logs from that.

      Thanks!

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        The admin user is locked to the menu but you can use the root user to work around that. Now that I've mentioned it's technically possible, I must caution against allowing automated remote root logins. It's bad. Don't do it.

        Make a new user just for this and add the sudo package in the GUI, then grant that user access to easyrule, give it an ssh key, and then use that account instead of root/admin.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • A
          akvadrat
          last edited by

          jimp,

          I didn't realized that the "admin" group was just for the webgui, but of course that make totally sense.

          I have now added the command /usr/local/bin/easyrule to the list of sudoed commands for that regular user and it works as intended, thanks!
          There was just one thing, at first I had problems because I kept getting prompted for password every time I ran 'sudo easyrule'. After a while I found out that this was because I used "Run As" admin and not root. Is it not possible to set NOPASSWD when "running as" admin?

          1 Reply Last reply Reply Quote 0
          • L
            luisenrique
            last edited by

            @akvadrat said in Automate easyrule from remote host:

            min and not root. Is it not possible to set NOPASSWD when "running as" ad

            sorry for reply this old post, but i'm lookin for some like this... @akvadrat cant you share your workaround in fail2ban to write or execute the eary rule action... to add and remove the hosts ip address... ad the moddifield maked to pfsense box on sudoers etc ..
            thanks

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.