This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to use curl to add packet filter rules (via Fail2ban)

I want to use Fail2ban to add & subtract IPs from Sophos's Firewall.

I've looked that the API documentation at https://www.sophos.com/en-us/medialibrary/PDFs/documentation/UTMonAWS/Sophos-UTM-RESTful-API.pdf and curl example in section 6.1 looks like the way to go.

curl -X POST --header 'Content-Type: application/json' \ --header 'Accept: text/json' \
--header 'X-RESTD-SESSION: close' \
--header 'X-RESTD-INSERT: packetfilter.rules' \

--header 'Authorization: Basic YWRtaW46cHBwcA==' \ -d '{"action":"accept", "destinations":["REF_NetworkAny"], "direction":"in",

"log":true,
"services":["REF_ServiceAny"],
"sources":["REF_NetworkAny"],
"status":true}' \
'https://<UTM IP>:4444/api/objects/packetfilter/packetfilter/'

 In that example, where would I put the IP to block?

Is there a better way to do this?

Has anyone managed to use Fail2ban with Sophos UTM?

Thanks, James.



This thread was automatically locked due to age.
Parents
  • First, you need to create a network object of type Host.

    Next you need to find the "REF_xxxx" for this object

    Now you can create the rule and use that object as the "source".

    ... only theory

    I spend a lot of time with the rest API browser to create the host object, but I could not assign that object to a group.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Thanks Dirk.

    I think I'll contact support - I can see this being a big sink hole for my time! Given how popular fail2ban and Sophos UTM are, I was hoping that someone had managed to get the two to work together!

    James.

  • James, if you get this working, please post instructions here.  You might want to read We hit 100,000 IP's blocked last night from a spam botnet.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob. I've made some progress on this. Tech Support said that first you need to use the API to create the Host (ie the IP you want to block). Then you use the API to create the packet filter (firewall) rule, referencing that host.

    Reading the section 5 of the documentation I found the Swagger interface - just go to  https://ip_address_of_ UTM:4444/api/ and you can find all that the API can do. It is fantastic. This is how I was able to create the Network Host object in the UTM.

    I created a firewall rule in the UTM's web GUI with Source being a Network Group that I'd created. The idea is that after I've created the Network Host using the API, I'd use the API to tell put it in the Network Group.

    This way I'd just have one Firewall Rule.

    Unfortunately I've spent all afternoon looking, but I can't see anyway to add a Network Host to a Network Group using the API.

    So that's what I'm stuck on at the moment.

    James.

  • Well, finally got it to work! After spending all day with much trial & error, I worked out the syntax. Basically, the Swagger UI lies about what you can do with POST, PUT & PATCH commands. You can write to all the fields, not just the 'comment' and 'name' fields.

    So, to add the Host with reference "REF_NetHos1918811671 (IP of 191.101.167.14) to the Network Group with ref "REF_NetGroBanneIpsFail2" I used:

    % curl -X PATCH --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: Basic SmZXCvbnNMJHxMjM=' -d '{"comment":"Test","name":"","members":["REF_NetHos1911011671"]}' 'my.sophos.utm.address:4445/.../REF_NetGroBanneIpsFail2' 

    and output returned was:

    {

      "_locked": "",

      "_ref": "REF_NetGroBanneIpsFail2",

      "_type": "network/group",

      "comment": "Test",

      "members": [

        "REF_NetHos1911011671"

      ],

      "name": "191.101.167.14",

      "types": [

        "host"

      ]

    }%    

    So very relieved to get that working.

    Now my issue is that this curl command will overwrite what is already there. Ie if the Network Group already has a few Hosts as members they will be removed with this curl command - its only member would be 191.101.167.14

Reply
  • Well, finally got it to work! After spending all day with much trial & error, I worked out the syntax. Basically, the Swagger UI lies about what you can do with POST, PUT & PATCH commands. You can write to all the fields, not just the 'comment' and 'name' fields.

    So, to add the Host with reference "REF_NetHos1918811671 (IP of 191.101.167.14) to the Network Group with ref "REF_NetGroBanneIpsFail2" I used:

    % curl -X PATCH --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: Basic SmZXCvbnNMJHxMjM=' -d '{"comment":"Test","name":"","members":["REF_NetHos1911011671"]}' 'my.sophos.utm.address:4445/.../REF_NetGroBanneIpsFail2' 

    and output returned was:

    {

      "_locked": "",

      "_ref": "REF_NetGroBanneIpsFail2",

      "_type": "network/group",

      "comment": "Test",

      "members": [

        "REF_NetHos1911011671"

      ],

      "name": "191.101.167.14",

      "types": [

        "host"

      ]

    }%    

    So very relieved to get that working.

    Now my issue is that this curl command will overwrite what is already there. Ie if the Network Group already has a few Hosts as members they will be removed with this curl command - its only member would be 191.101.167.14

Children
No Data