I answer my question: v-add-firewall-chain overwritte the file on boot,
Code: Select all
# Preserving chain
chains=$VESTA/data/firewall/chains.conf
check_chain=$(grep "CHAIN='$chain'" $chains 2>/dev/null)
if [ -z "$check_chain" ]; then
echo "CHAIN='$chain' PORT='$port' PROTOCOL='$protocol'" >> $chains
fi
but... what's the problem?? The problem is that all services port (except vestaport) are hardcoded on that file , so If you have changed your default ports of services like ssh, ftp, etc... (to improve your server security) v-add-firewall-chain will create chains with the incorrect port... and due this, fail2ban won't block any attack!
Code: Select all
# Checking known chains
case $chain in
SSH) port=22; protocol=TCP ;;
FTP) port=21; protocol=TCP ;;
MAIL) port='25,465,587,2525,110,995,143,993'; protocol=TCP ;;
DNS) port=53; protocol=UDP ;;
WEB) port='80,443'; protocol=TCP ;;
DB) port='3306,5432'; protocol=TCP ;;
VESTA) port=$vestaport; protocol=TCP ;;
*) check_args '2' "$#" 'CHAIN PORT' ;;
esac
I think that ports should not be hardcoded in any script,or at least check the services config file to get if the port has been changed, this is done in v-update-firewall with ssh for example:
Code: Select all
# Checking custom OpenSSH port
sshport=$(grep '^Port ' /etc/ssh/sshd_config | head -1 | cut -d ' ' -f 2)
if [[ "$sshport" =~ ^[0-9]+$ ]] && [ "$sshport" -ne "22" ]; then
sed -i "s/PORT='22'/PORT=\'$sshport\'/" $rules
fi
Other option could be use the file /usr/local/vesta/data/firewall/ports.conf to read the ports, so if any user change any port service, he should update this file too editing the service port.