So after periodically checking the tail of the logs, it seems to be working sometimes (with maxretry=3, new IP addresses show found 3 times get banned and then found once more) but not others (even previously banned IPs are found 3 times, there is a notice that it's already banned, found 3 times, already banned, etc. and eventually stops). Seems quite strange to me but sounds like something to do with how firewalld works with fail2ban.
Does anyone on the list use fail2ban with shorewall? How has your experience been? Maybe I shouldn't feel intimidated by iptables but I'd much rather use something higher level and I do have some experience with shorewall. For a small scale server, configuration is much simpler. Thanks, Ted On 06/15/2015 10:03 PM, Harrison Johnson wrote: > Ted, > Never mind about the multiport I remembered that wrong it was > all-ports. > I read some about firewalld on the Red Hat page, just some high level > overview the *_direct chains are for use by programs so fail2ban put > the > rule in the correct place. But it did not go into detail on how the > daemon does it's thing. I just said that the iptables service is > replaced by the firewalld service and that firewalld uses iptables to > interact with the kernel and netfilter. > > On Mon, 2015-06-15 at 19:58 -0500, Harrison Johnson wrote: >> Ted, >> I personally don't like firewalld I think it just adds layers of >> complexity to the issue, but this is just my opinion. It does have >> advantages with inter-process communications and really comes into its >> own when you are running a machine with multiply interfaces. This is >> the classic 6 of one / a half dozen of the other. >> Each of your INPUT & FORWARD chains are set to accept a connection >> by default, this in not a big deal because the last rule in each chain >> will reject anything that does not match a preceding rule. The first >> rule in both of the chains accepts any inbound packet that has a >> related or established connection. But the second rule in each of >> these chains is I think your problem "ACCEPT all -- >> anywhere anywhere". In the INPUT chain this rules says >> 'accept all protocols from any source to any destination from your >> outside network' and in the FORWARD chain is says 'send any packet to >> any other network interface you have'. But the firewalld daemon may do >> some prepossessing that I don't know about that prevents this action. >> But according to these rules a packet will never be rejected in the >> INPUT or FORWARD because every packet will match rule 2 and be >> accepted. A packet that does reach the third rule "INPUT_direct all >> -- anywhere anywhere" will jump to the INPUT_direct chain >> and the only rule in that chain does reject a tcp packet from any >> source to any destination on port 22. I just can't tell you what >> firewalld does to make this happen. But I can tell you the answer >> should be in the log file which should be here "/var/log/firewalld". >> You might try this command "firewall-cmd --state" to make sure that >> firewalld is running and "firewall-cmd --list-all-zones" to see what >> services, ports and interfaces are associated with the defined zones. >> And I remember reading something about multiport on the fail2ban wiki, >> let me see if I can find that. Hope this helps some. >> >> Harry. >> >> On Mon, 2015-06-15 at 16:40 -0400, Ted To wrote: >>> Hi Harrison, >>> >>> Here is the output for "iptables -L". FWIW, Centos 7 uses firewalld. >>> >>> Thanks, >>> Ted >>> >>> Chain INPUT (policy ACCEPT) >>> target prot opt source destination >>> ACCEPT all -- anywhere anywhere ctstate >>> RELATED,ESTABLISHED >>> ACCEPT all -- anywhere anywhere >>> INPUT_direct all -- anywhere anywhere >>> INPUT_ZONES_SOURCE all -- anywhere anywhere >>> INPUT_ZONES all -- anywhere anywhere >>> ACCEPT icmp -- anywhere anywhere >>> REJECT all -- anywhere anywhere >>> reject-with icmp-host-prohibited >>> >>> Chain FORWARD (policy ACCEPT) >>> target prot opt source destination >>> ACCEPT all -- anywhere anywhere ctstate >>> RELATED,ESTABLISHED >>> ACCEPT all -- anywhere anywhere >>> FORWARD_direct all -- anywhere anywhere >>> FORWARD_IN_ZONES_SOURCE all -- anywhere anywhere >>> FORWARD_IN_ZONES all -- anywhere anywhere >>> FORWARD_OUT_ZONES_SOURCE all -- anywhere anywhere >>> FORWARD_OUT_ZONES all -- anywhere anywhere >>> ACCEPT icmp -- anywhere anywhere >>> REJECT all -- anywhere anywhere >>> reject-with icmp-host-prohibited >>> >>> Chain OUTPUT (policy ACCEPT) >>> target prot opt source destination >>> OUTPUT_direct all -- anywhere anywhere >>> >>> Chain FORWARD_IN_ZONES (1 references) >>> target prot opt source destination >>> FWDI_public all -- anywhere anywhere [goto] >>> FWDI_public all -- anywhere anywhere [goto] >>> >>> Chain FORWARD_IN_ZONES_SOURCE (1 references) >>> target prot opt source destination >>> >>> Chain FORWARD_OUT_ZONES (1 references) >>> target prot opt source destination >>> FWDO_public all -- anywhere anywhere [goto] >>> FWDO_public all -- anywhere anywhere [goto] >>> >>> Chain FORWARD_OUT_ZONES_SOURCE (1 references) >>> target prot opt source destination >>> >>> Chain FORWARD_direct (1 references) >>> target prot opt source destination >>> >>> Chain FWDI_public (2 references) >>> target prot opt source destination >>> FWDI_public_log all -- anywhere anywhere >>> FWDI_public_deny all -- anywhere anywhere >>> FWDI_public_allow all -- anywhere anywhere >>> >>> Chain FWDI_public_allow (1 references) >>> target prot opt source destination >>> >>> Chain FWDI_public_deny (1 references) >>> target prot opt source destination >>> >>> Chain FWDI_public_log (1 references) >>> target prot opt source destination >>> >>> Chain FWDO_public (2 references) >>> target prot opt source destination >>> FWDO_public_log all -- anywhere anywhere >>> FWDO_public_deny all -- anywhere anywhere >>> FWDO_public_allow all -- anywhere anywhere >>> >>> Chain FWDO_public_allow (1 references) >>> target prot opt source destination >>> >>> Chain FWDO_public_deny (1 references) >>> target prot opt source destination >>> >>> Chain FWDO_public_log (1 references) >>> target prot opt source destination >>> >>> Chain INPUT_ZONES (1 references) >>> target prot opt source destination >>> IN_public all -- anywhere anywhere [goto] >>> IN_public all -- anywhere anywhere [goto] >>> >>> Chain INPUT_ZONES_SOURCE (1 references) >>> target prot opt source destination >>> >>> Chain INPUT_direct (1 references) >>> target prot opt source destination >>> REJECT tcp -- anywhere anywhere >>> multiport >>> dports ssh match-set fail2ban-default src reject-with >>> icmp-port-unreachable >>> >>> Chain IN_public (2 references) >>> target prot opt source destination >>> IN_public_log all -- anywhere anywhere >>> IN_public_deny all -- anywhere anywhere >>> IN_public_allow all -- anywhere anywhere >>> >>> Chain IN_public_allow (1 references) >>> target prot opt source destination >>> ACCEPT tcp -- anywhere anywhere tcp >>> dpt:submission ctstate NEW >>> ACCEPT tcp -- anywhere anywhere tcp >>> dpt:smtp ctstate NEW >>> ACCEPT tcp -- anywhere anywhere tcp >>> dpt:ssh ctstate NEW >>> ACCEPT tcp -- anywhere anywhere tcp >>> dpt:imaps ctstate NEW >>> >>> Chain IN_public_deny (1 references) >>> target prot opt source destination >>> >>> Chain IN_public_log (1 references) >>> target prot opt source destination >>> >>> Chain OUTPUT_direct (1 references) >>> target prot opt source destination >>> >>> > Ted, >>> > You might have a look at you iptables filter table to see if you are >>> > jumping to the chain correctly. Fail2ban does a pretty good job of >>> > putting the rules in the filter, but you still might have a rule like a >>> > default accept that is allowing the connection before the jail >>> > drops/rejects it. >>> >>> On 06/14/2015 01:33 PM, Arch Architecht wrote: >>> > I would check on iptables' order as Harrison said. I did mess around >>> > with my bantimes since some hosts have some sort of "intelligent" >>> > scanner which tries a few hrs after they are banned or they come back a >>> > few days later. My personal bantime is 1234564890 which is long enough >>> > for me :D >>> > >>> > In any case, post an output of your iptables -L or your saved iptables >>> > from /etc/sysconfig. I use centos 6 so your file may be elsewhere. >>> > >>> > Regards, >>> > Arch >>> > >>> > On Jun 14, 2015 7:26 PM, "Ted To" <[email protected] >>> <mailto:[email protected]> >>> > <mailto:[email protected]>> wrote: >>> > >>> > Hi Arch, >>> > >>> > I null routed that IP address and within a few seconds, another IP >>> > address started hitting me. I null routed that IP and it seems to >>> > have stopped for the moment. With the exception of specifying a >>> > destemail address in jail.local, my configuration is the default >>> > Centos 7 epel config with the addition of the jail.d/sshd.local >>> > file >>> > I posted. >>> > >>> > Why would changing the bantime and findtime affect this behavior? >>> > (Just trying to understand.) >>> > >>> > Thanks, >>> > Ted >>> > >>> > On 2015-06-14 12:02 pm, Arch Architecht wrote: >>> > >>> > I would null route the ip and check my configs again. You may >>> > need to >>> > change your bantime and findtime. >>> > >>> > Regards, >>> > >>> > Arch >>> > On Jun 14, 2015 5:56 PM, "Ted To" <[email protected] >>> <mailto:[email protected]> >>> > <mailto:[email protected]>> wrote: >>> > >>> > Hi, >>> > >>> > I have a Centos 7 installation where an IP address that has >>> > been >>> > banned >>> > appears to be able to continue to attempt ssh connections. >>> > My >>> > sshd.local is: >>> > >>> > [sshd] >>> > enabled = true >>> > bantime = 86400 >>> > findtime = 3600 >>> > maxretry = 3 >>> > protocol = all >>> > >>> > Despite this, I am currently being continuously hit by >>> > 43.255.188.169 >>> > (log snippets follow). >>> > >>> > Any ideas what I have done wrong? >>> > >>> > Thanks, >>> > Ted >>> > >>> > 2015-06-14 11:33:46,545 fail2ban.filter [28524]: INFO >>> > [sshd] >>> > Found 43.255.188.169 >>> > 2015-06-14 11:33:48,350 fail2ban.filter [28524]: INFO >>> > [sshd] >>> > Found 43.255.188.169 >>> > 2015-06-14 11:33:50,421 fail2ban.filter [28524]: INFO >>> > [sshd] >>> > Found 43.255.188.169 >>> > 2015-06-14 11:33:51,086 fail2ban.actions [28524]: NOTICE >>> > [sshd] >>> > 43.255.188.169 already banned >>> > 2015-06-14 11:33:53,104 fail2ban.filter [28524]: INFO >>> > [sshd] >>> > Found 43.255.188.169 >>> > 2015-06-14 11:33:53,734 fail2ban.filter [28524]: INFO >>> > [sshd] >>> > Found 43.255.188.169 >>> > 2015-06-14 11:33:55,499 fail2ban.filter [28524]: INFO >>> > [sshd] >>> > Found 43.255.188.169 >>> > 2015-06-14 11:33:56,092 fail2ban.actions [28524]: NOTICE >>> > [sshd] >>> > 43.255.188.169 already banned >>> > 2015-06-14 11:33:57,530 fail2ban.filter [28524]: INFO >>> > [sshd] >>> > Found 43.255.188.169 >>> > 2015-06-14 11:34:00,508 fail2ban.filter [28524]: INFO >>> > [sshd] >>> > Found 43.255.188.169 >>> > 2015-06-14 11:34:01,130 fail2ban.filter [28524]: INFO >>> > [sshd] >>> > Found 43.255.188.169 >>> > 2015-06-14 11:34:02,100 fail2ban.actions [28524]: NOTICE >>> > [sshd] >>> > 43.255.188.169 already banned >>> > >>> > and >>> > >>> > Jun 14 11:36:25 kahlo sshd[28890]: pam_unix(sshd:auth): >>> > authentication >>> > failure; logname= uid=0 euid=0 tty=ssh ruser= >>> > rhost=43.255.188.169 >>> > user=root >>> > Jun 14 11:36:27 kahlo sshd[28890]: Failed password for >>> > invalid user >>> > root >>> > from 43.255.188.169 port 52618 ssh2 >>> > Jun 14 11:36:29 kahlo sshd[28890]: Failed password for >>> > invalid user >>> > root >>> > from 43.255.188.169 port 52618 ssh2 >>> > Jun 14 11:36:31 kahlo sshd[28890]: Failed password for >>> > invalid user >>> > root >>> > from 43.255.188.169 port 52618 ssh2 >>> > Jun 14 11:36:31 kahlo sshd[28890]: Received disconnect from >>> > 43.255.188.169 [1]: 11: [preauth] >>> > Jun 14 11:36:31 kahlo sshd[28890]: PAM 2 more >>> > authentication >>> > failures; >>> > logname= uid=0 euid=0 tty=ssh ruser= rhost=43.255.188.169 >>> > user=root >>> > Jun 14 11:36:32 kahlo sshd[28892]: User root from >>> > 43.255.188.169 >>> > not >>> > allowed because not listed in AllowUsers >>> > Jun 14 11:36:32 kahlo sshd[28892]: pam_unix(sshd:auth): >>> > authentication >>> > failure; logname= uid=0 euid=0 tty=ssh ruser= >>> > rhost=43.255.188.169 >>> > user=root >>> > Jun 14 11:36:34 kahlo sshd[28892]: Failed password for >>> > invalid user >>> > root >>> > from 43.255.188.169 port 38784 ssh2 >>> > Jun 14 11:36:36 kahlo sshd[28892]: Failed password for >>> > invalid user >>> > root >>> > from 43.255.188.169 port 38784 ssh2 >>> > Jun 14 11:36:37 kahlo sshd[28892]: Failed password for >>> > invalid user >>> > root >>> > from 43.255.188.169 port 38784 ssh2 >>> > Jun 14 11:36:37 kahlo sshd[28892]: Received disconnect from >>> > 43.255.188.169 [1]: 11: [preauth] >>> > Jun 14 11:36:37 kahlo sshd[28892]: PAM 2 more >>> > authentication >>> > failures; >>> > logname= uid=0 euid=0 tty=ssh ruser= rhost=43.255.188.169 >>> > user=root >>> > Jun 14 11:36:38 kahlo sshd[28894]: User root from >>> > 43.255.188.169 >>> > not >>> > allowed because not listed in AllowUsers >>> > Jun 14 11:36:38 kahlo sshd[28894]: pam_unix(sshd:auth): >>> > authentication >>> > failure; logname= uid=0 euid=0 tty=ssh ruser= >>> > rhost=43.255.188.169 >>> > user=root >>> > Jun 14 11:36:40 kahlo sshd[28894]: Failed password for >>> > invalid user >>> > root >>> > from 43.255.188.169 port 53258 ssh2 >>> > Jun 14 11:36:42 kahlo sshd[28894]: Failed password for >>> > invalid user >>> > root >>> > from 43.255.188.169 port 53258 ssh2 >>> > Jun 14 11:36:44 kahlo sshd[28894]: Failed password for >>> > invalid user >>> > root >>> > from 43.255.188.169 port 53258 ssh2 >>> > Jun 14 11:36:44 kahlo sshd[28894]: Received disconnect from >>> > 43.255.188.169 [1]: 11: [preauth] >>> > Jun 14 11:36:44 kahlo sshd[28894]: PAM 2 more >>> > authentication >>> > failures; >>> > logname= uid=0 euid=0 tty=ssh ruser= rhost=43.255.188.169 >>> > user=root >>> > >>> > >>> > >>> > >>> ------------------------------------------------------------------------------ >>> > >>> > _______________________________________________ >>> > Fail2ban-users mailing list >>> > [email protected] >>> <mailto:[email protected]> >>> > <mailto:[email protected]> >>> > https://lists.sourceforge.net/lists/listinfo/fail2ban-users >>> > [2] >>> > >>> > >>> > >>> > Links: >>> > ------ >>> > [1] http://43.255.188.169 >>> > [2] https://lists.sourceforge.net/lists/listinfo/fail2ban-users >>> > >>> >>> >>> ------------------------------------------------------------------------------ >>> _______________________________________________ >>> Fail2ban-users mailing list >>> [email protected] >>> <mailto:[email protected]> >>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> Fail2ban-users mailing list >> [email protected] >> <mailto:[email protected]> >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > ------------------------------------------------------------------------------ _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
