Ted, Never mind about the multiport I remembered that wrong it was all-ports. I read some about firewalld on the Red Hat page, just some high level overview the *_direct chains are for use by programs so fail2ban put the rule in the correct place. But it did not go into detail on how the daemon does it's thing. I just said that the iptables service is replaced by the firewalld service and that firewalld uses iptables to interact with the kernel and netfilter.
On Mon, 2015-06-15 at 19:58 -0500, Harrison Johnson wrote: > Ted, > I personally don't like firewalld I think it just adds layers of > complexity to the issue, but this is just my opinion. It does have > advantages with inter-process communications and really comes into its > own when you are running a machine with multiply interfaces. This is > the classic 6 of one / a half dozen of the other. > Each of your INPUT & FORWARD chains are set to accept a connection > by default, this in not a big deal because the last rule in each chain > will reject anything that does not match a preceding rule. The first > rule in both of the chains accepts any inbound packet that has a > related or established connection. But the second rule in each of > these chains is I think your problem "ACCEPT all -- anywhere > anywhere". In the INPUT chain this rules says 'accept all protocols > from any source to any destination from your outside network' and in > the FORWARD chain is says 'send any packet to any other network > interface you have'. But the firewalld daemon may do some > prepossessing that I don't know about that prevents this action. But > according to these rules a packet will never be rejected in the INPUT > or FORWARD because every packet will match rule 2 and be accepted. A > packet that does reach the third rule "INPUT_direct all -- anywhere > anywhere" will jump to the INPUT_direct chain and the only rule in > that chain does reject a tcp packet from any source to any destination > on port 22. I just can't tell you what firewalld does to make this > happen. But I can tell you the answer should be in the log file which > should be here "/var/log/firewalld". You might try this command > "firewall-cmd --state" to make sure that firewalld is running and > "firewall-cmd --list-all-zones" to see what services, ports and > interfaces are associated with the defined zones. And I remember > reading something about multiport on the fail2ban wiki, let me see if > I can find that. Hope this helps some. > > Harry. > > On Mon, 2015-06-15 at 16:40 -0400, Ted To wrote: > > > Hi Harrison, > > > > Here is the output for "iptables -L". FWIW, Centos 7 uses firewalld. > > > > Thanks, > > Ted > > > > Chain INPUT (policy ACCEPT) > > target prot opt source destination > > ACCEPT all -- anywhere anywhere ctstate > > RELATED,ESTABLISHED > > ACCEPT all -- anywhere anywhere > > INPUT_direct all -- anywhere anywhere > > INPUT_ZONES_SOURCE all -- anywhere anywhere > > INPUT_ZONES all -- anywhere anywhere > > ACCEPT icmp -- anywhere anywhere > > REJECT all -- anywhere anywhere > > reject-with icmp-host-prohibited > > > > Chain FORWARD (policy ACCEPT) > > target prot opt source destination > > ACCEPT all -- anywhere anywhere ctstate > > RELATED,ESTABLISHED > > ACCEPT all -- anywhere anywhere > > FORWARD_direct all -- anywhere anywhere > > FORWARD_IN_ZONES_SOURCE all -- anywhere anywhere > > FORWARD_IN_ZONES all -- anywhere anywhere > > FORWARD_OUT_ZONES_SOURCE all -- anywhere anywhere > > FORWARD_OUT_ZONES all -- anywhere anywhere > > ACCEPT icmp -- anywhere anywhere > > REJECT all -- anywhere anywhere > > reject-with icmp-host-prohibited > > > > Chain OUTPUT (policy ACCEPT) > > target prot opt source destination > > OUTPUT_direct all -- anywhere anywhere > > > > Chain FORWARD_IN_ZONES (1 references) > > target prot opt source destination > > FWDI_public all -- anywhere anywhere [goto] > > FWDI_public all -- anywhere anywhere [goto] > > > > Chain FORWARD_IN_ZONES_SOURCE (1 references) > > target prot opt source destination > > > > Chain FORWARD_OUT_ZONES (1 references) > > target prot opt source destination > > FWDO_public all -- anywhere anywhere [goto] > > FWDO_public all -- anywhere anywhere [goto] > > > > Chain FORWARD_OUT_ZONES_SOURCE (1 references) > > target prot opt source destination > > > > Chain FORWARD_direct (1 references) > > target prot opt source destination > > > > Chain FWDI_public (2 references) > > target prot opt source destination > > FWDI_public_log all -- anywhere anywhere > > FWDI_public_deny all -- anywhere anywhere > > FWDI_public_allow all -- anywhere anywhere > > > > Chain FWDI_public_allow (1 references) > > target prot opt source destination > > > > Chain FWDI_public_deny (1 references) > > target prot opt source destination > > > > Chain FWDI_public_log (1 references) > > target prot opt source destination > > > > Chain FWDO_public (2 references) > > target prot opt source destination > > FWDO_public_log all -- anywhere anywhere > > FWDO_public_deny all -- anywhere anywhere > > FWDO_public_allow all -- anywhere anywhere > > > > Chain FWDO_public_allow (1 references) > > target prot opt source destination > > > > Chain FWDO_public_deny (1 references) > > target prot opt source destination > > > > Chain FWDO_public_log (1 references) > > target prot opt source destination > > > > Chain INPUT_ZONES (1 references) > > target prot opt source destination > > IN_public all -- anywhere anywhere [goto] > > IN_public all -- anywhere anywhere [goto] > > > > Chain INPUT_ZONES_SOURCE (1 references) > > target prot opt source destination > > > > Chain INPUT_direct (1 references) > > target prot opt source destination > > REJECT tcp -- anywhere anywhere multiport > > dports ssh match-set fail2ban-default src reject-with > > icmp-port-unreachable > > > > Chain IN_public (2 references) > > target prot opt source destination > > IN_public_log all -- anywhere anywhere > > IN_public_deny all -- anywhere anywhere > > IN_public_allow all -- anywhere anywhere > > > > Chain IN_public_allow (1 references) > > target prot opt source destination > > ACCEPT tcp -- anywhere anywhere tcp > > dpt:submission ctstate NEW > > ACCEPT tcp -- anywhere anywhere tcp > > dpt:smtp ctstate NEW > > ACCEPT tcp -- anywhere anywhere tcp > > dpt:ssh ctstate NEW > > ACCEPT tcp -- anywhere anywhere tcp > > dpt:imaps ctstate NEW > > > > Chain IN_public_deny (1 references) > > target prot opt source destination > > > > Chain IN_public_log (1 references) > > target prot opt source destination > > > > Chain OUTPUT_direct (1 references) > > target prot opt source destination > > > > > Ted, > > > You might have a look at you iptables filter table to see if you are > > > jumping to the chain correctly. Fail2ban does a pretty good job of > > > putting the rules in the filter, but you still might have a rule like a > > > default accept that is allowing the connection before the jail > > > drops/rejects it. > > > > On 06/14/2015 01:33 PM, Arch Architecht wrote: > > > I would check on iptables' order as Harrison said. I did mess around > > > with my bantimes since some hosts have some sort of "intelligent" > > > scanner which tries a few hrs after they are banned or they come back a > > > few days later. My personal bantime is 1234564890 which is long enough > > > for me :D > > > > > > In any case, post an output of your iptables -L or your saved iptables > > > from /etc/sysconfig. I use centos 6 so your file may be elsewhere. > > > > > > Regards, > > > Arch > > > > > > On Jun 14, 2015 7:26 PM, "Ted To" <[email protected] > > > <mailto:[email protected]>> wrote: > > > > > > Hi Arch, > > > > > > I null routed that IP address and within a few seconds, another IP > > > address started hitting me. I null routed that IP and it seems to > > > have stopped for the moment. With the exception of specifying a > > > destemail address in jail.local, my configuration is the default > > > Centos 7 epel config with the addition of the jail.d/sshd.local > > > file > > > I posted. > > > > > > Why would changing the bantime and findtime affect this behavior? > > > (Just trying to understand.) > > > > > > Thanks, > > > Ted > > > > > > On 2015-06-14 12:02 pm, Arch Architecht wrote: > > > > > > I would null route the ip and check my configs again. You may > > > need to > > > change your bantime and findtime. > > > > > > Regards, > > > > > > Arch > > > On Jun 14, 2015 5:56 PM, "Ted To" <[email protected] > > > <mailto:[email protected]>> wrote: > > > > > > Hi, > > > > > > I have a Centos 7 installation where an IP address that has > > > been > > > banned > > > appears to be able to continue to attempt ssh connections. > > > My > > > sshd.local is: > > > > > > [sshd] > > > enabled = true > > > bantime = 86400 > > > findtime = 3600 > > > maxretry = 3 > > > protocol = all > > > > > > Despite this, I am currently being continuously hit by > > > 43.255.188.169 > > > (log snippets follow). > > > > > > Any ideas what I have done wrong? > > > > > > Thanks, > > > Ted > > > > > > 2015-06-14 11:33:46,545 fail2ban.filter [28524]: INFO > > > [sshd] > > > Found 43.255.188.169 > > > 2015-06-14 11:33:48,350 fail2ban.filter [28524]: INFO > > > [sshd] > > > Found 43.255.188.169 > > > 2015-06-14 11:33:50,421 fail2ban.filter [28524]: INFO > > > [sshd] > > > Found 43.255.188.169 > > > 2015-06-14 11:33:51,086 fail2ban.actions [28524]: NOTICE > > > [sshd] > > > 43.255.188.169 already banned > > > 2015-06-14 11:33:53,104 fail2ban.filter [28524]: INFO > > > [sshd] > > > Found 43.255.188.169 > > > 2015-06-14 11:33:53,734 fail2ban.filter [28524]: INFO > > > [sshd] > > > Found 43.255.188.169 > > > 2015-06-14 11:33:55,499 fail2ban.filter [28524]: INFO > > > [sshd] > > > Found 43.255.188.169 > > > 2015-06-14 11:33:56,092 fail2ban.actions [28524]: NOTICE > > > [sshd] > > > 43.255.188.169 already banned > > > 2015-06-14 11:33:57,530 fail2ban.filter [28524]: INFO > > > [sshd] > > > Found 43.255.188.169 > > > 2015-06-14 11:34:00,508 fail2ban.filter [28524]: INFO > > > [sshd] > > > Found 43.255.188.169 > > > 2015-06-14 11:34:01,130 fail2ban.filter [28524]: INFO > > > [sshd] > > > Found 43.255.188.169 > > > 2015-06-14 11:34:02,100 fail2ban.actions [28524]: NOTICE > > > [sshd] > > > 43.255.188.169 already banned > > > > > > and > > > > > > Jun 14 11:36:25 kahlo sshd[28890]: pam_unix(sshd:auth): > > > authentication > > > failure; logname= uid=0 euid=0 tty=ssh ruser= > > > rhost=43.255.188.169 > > > user=root > > > Jun 14 11:36:27 kahlo sshd[28890]: Failed password for > > > invalid user > > > root > > > from 43.255.188.169 port 52618 ssh2 > > > Jun 14 11:36:29 kahlo sshd[28890]: Failed password for > > > invalid user > > > root > > > from 43.255.188.169 port 52618 ssh2 > > > Jun 14 11:36:31 kahlo sshd[28890]: Failed password for > > > invalid user > > > root > > > from 43.255.188.169 port 52618 ssh2 > > > Jun 14 11:36:31 kahlo sshd[28890]: Received disconnect from > > > 43.255.188.169 [1]: 11: [preauth] > > > Jun 14 11:36:31 kahlo sshd[28890]: PAM 2 more > > > authentication > > > failures; > > > logname= uid=0 euid=0 tty=ssh ruser= rhost=43.255.188.169 > > > user=root > > > Jun 14 11:36:32 kahlo sshd[28892]: User root from > > > 43.255.188.169 > > > not > > > allowed because not listed in AllowUsers > > > Jun 14 11:36:32 kahlo sshd[28892]: pam_unix(sshd:auth): > > > authentication > > > failure; logname= uid=0 euid=0 tty=ssh ruser= > > > rhost=43.255.188.169 > > > user=root > > > Jun 14 11:36:34 kahlo sshd[28892]: Failed password for > > > invalid user > > > root > > > from 43.255.188.169 port 38784 ssh2 > > > Jun 14 11:36:36 kahlo sshd[28892]: Failed password for > > > invalid user > > > root > > > from 43.255.188.169 port 38784 ssh2 > > > Jun 14 11:36:37 kahlo sshd[28892]: Failed password for > > > invalid user > > > root > > > from 43.255.188.169 port 38784 ssh2 > > > Jun 14 11:36:37 kahlo sshd[28892]: Received disconnect from > > > 43.255.188.169 [1]: 11: [preauth] > > > Jun 14 11:36:37 kahlo sshd[28892]: PAM 2 more > > > authentication > > > failures; > > > logname= uid=0 euid=0 tty=ssh ruser= rhost=43.255.188.169 > > > user=root > > > Jun 14 11:36:38 kahlo sshd[28894]: User root from > > > 43.255.188.169 > > > not > > > allowed because not listed in AllowUsers > > > Jun 14 11:36:38 kahlo sshd[28894]: pam_unix(sshd:auth): > > > authentication > > > failure; logname= uid=0 euid=0 tty=ssh ruser= > > > rhost=43.255.188.169 > > > user=root > > > Jun 14 11:36:40 kahlo sshd[28894]: Failed password for > > > invalid user > > > root > > > from 43.255.188.169 port 53258 ssh2 > > > Jun 14 11:36:42 kahlo sshd[28894]: Failed password for > > > invalid user > > > root > > > from 43.255.188.169 port 53258 ssh2 > > > Jun 14 11:36:44 kahlo sshd[28894]: Failed password for > > > invalid user > > > root > > > from 43.255.188.169 port 53258 ssh2 > > > Jun 14 11:36:44 kahlo sshd[28894]: Received disconnect from > > > 43.255.188.169 [1]: 11: [preauth] > > > Jun 14 11:36:44 kahlo sshd[28894]: PAM 2 more > > > authentication > > > failures; > > > logname= uid=0 euid=0 tty=ssh ruser= rhost=43.255.188.169 > > > user=root > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > > > > _______________________________________________ > > > Fail2ban-users mailing list > > > [email protected] > > > <mailto:[email protected]> > > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > [2] > > > > > > > > > > > > Links: > > > ------ > > > [1] http://43.255.188.169 > > > [2] https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > > > > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > > Fail2ban-users mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > > ------------------------------------------------------------------------------ > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
