Ted, Unless you are running a lot forwards to a lot of different interfaces' either virtual or real iptables is pretty simply. If you would like I can send you a copy of my filter table.
Harry. On Sat, 2015-06-20 at 11:15 -0400, Ted To wrote: > So after periodically checking the tail of the logs, it seems to be > working sometimes (with maxretry=3, new IP addresses show found 3 times > get banned and then found once more) but not others (even previously > banned IPs are found 3 times, there is a notice that it's already > banned, found 3 times, already banned, etc. and eventually stops). > Seems quite strange to me but sounds like something to do with how > firewalld works with fail2ban. > > Does anyone on the list use fail2ban with shorewall? How has your > experience been? Maybe I shouldn't feel intimidated by iptables but I'd > much rather use something higher level and I do have some experience > with shorewall. For a small scale server, configuration is much > simpler. > > Thanks, > Ted > > On 06/15/2015 10:03 PM, Harrison Johnson wrote: > > Ted, > > Never mind about the multiport I remembered that wrong it was > > all-ports. > > I read some about firewalld on the Red Hat page, just some high level > > overview the *_direct chains are for use by programs so fail2ban put > > the > > rule in the correct place. But it did not go into detail on how the > > daemon does it's thing. I just said that the iptables service is > > replaced by the firewalld service and that firewalld uses iptables to > > interact with the kernel and netfilter. > > > > On Mon, 2015-06-15 at 19:58 -0500, Harrison Johnson wrote: > >> Ted, > >> I personally don't like firewalld I think it just adds layers of > >> complexity to the issue, but this is just my opinion. It does have > >> advantages with inter-process communications and really comes into its > >> own when you are running a machine with multiply interfaces. This is > >> the classic 6 of one / a half dozen of the other. > >> Each of your INPUT & FORWARD chains are set to accept a connection > >> by default, this in not a big deal because the last rule in each chain > >> will reject anything that does not match a preceding rule. The first > >> rule in both of the chains accepts any inbound packet that has a > >> related or established connection. But the second rule in each of > >> these chains is I think your problem "ACCEPT all -- > >> anywhere anywhere". In the INPUT chain this rules says > >> 'accept all protocols from any source to any destination from your > >> outside network' and in the FORWARD chain is says 'send any packet to > >> any other network interface you have'. But the firewalld daemon may do > >> some prepossessing that I don't know about that prevents this action. > >> But according to these rules a packet will never be rejected in the > >> INPUT or FORWARD because every packet will match rule 2 and be > >> accepted. A packet that does reach the third rule "INPUT_direct all > >> -- anywhere anywhere" will jump to the INPUT_direct chain > >> and the only rule in that chain does reject a tcp packet from any > >> source to any destination on port 22. I just can't tell you what > >> firewalld does to make this happen. But I can tell you the answer > >> should be in the log file which should be here "/var/log/firewalld". > >> You might try this command "firewall-cmd --state" to make sure that > >> firewalld is running and "firewall-cmd --list-all-zones" to see what > >> services, ports and interfaces are associated with the defined zones. > >> And I remember reading something about multiport on the fail2ban wiki, > >> let me see if I can find that. Hope this helps some. > >> > >> Harry. > >> > >> On Mon, 2015-06-15 at 16:40 -0400, Ted To wrote: > >>> Hi Harrison, > >>> > >>> Here is the output for "iptables -L". FWIW, Centos 7 uses firewalld. > >>> > >>> Thanks, > >>> Ted > >>> > >>> Chain INPUT (policy ACCEPT) > >>> target prot opt source destination > >>> ACCEPT all -- anywhere anywhere ctstate > >>> RELATED,ESTABLISHED > >>> ACCEPT all -- anywhere anywhere > >>> INPUT_direct all -- anywhere anywhere > >>> INPUT_ZONES_SOURCE all -- anywhere anywhere > >>> INPUT_ZONES all -- anywhere anywhere > >>> ACCEPT icmp -- anywhere anywhere > >>> REJECT all -- anywhere anywhere > >>> reject-with icmp-host-prohibited > >>> > >>> Chain FORWARD (policy ACCEPT) > >>> target prot opt source destination > >>> ACCEPT all -- anywhere anywhere ctstate > >>> RELATED,ESTABLISHED > >>> ACCEPT all -- anywhere anywhere > >>> FORWARD_direct all -- anywhere anywhere > >>> FORWARD_IN_ZONES_SOURCE all -- anywhere anywhere > >>> FORWARD_IN_ZONES all -- anywhere anywhere > >>> FORWARD_OUT_ZONES_SOURCE all -- anywhere anywhere > >>> FORWARD_OUT_ZONES all -- anywhere anywhere > >>> ACCEPT icmp -- anywhere anywhere > >>> REJECT all -- anywhere anywhere > >>> reject-with icmp-host-prohibited > >>> > >>> Chain OUTPUT (policy ACCEPT) > >>> target prot opt source destination > >>> OUTPUT_direct all -- anywhere anywhere > >>> > >>> Chain FORWARD_IN_ZONES (1 references) > >>> target prot opt source destination > >>> FWDI_public all -- anywhere anywhere [goto] > >>> FWDI_public all -- anywhere anywhere [goto] > >>> > >>> Chain FORWARD_IN_ZONES_SOURCE (1 references) > >>> target prot opt source destination > >>> > >>> Chain FORWARD_OUT_ZONES (1 references) > >>> target prot opt source destination > >>> FWDO_public all -- anywhere anywhere [goto] > >>> FWDO_public all -- anywhere anywhere [goto] > >>> > >>> Chain FORWARD_OUT_ZONES_SOURCE (1 references) > >>> target prot opt source destination > >>> > >>> Chain FORWARD_direct (1 references) > >>> target prot opt source destination > >>> > >>> Chain FWDI_public (2 references) > >>> target prot opt source destination > >>> FWDI_public_log all -- anywhere anywhere > >>> FWDI_public_deny all -- anywhere anywhere > >>> FWDI_public_allow all -- anywhere anywhere > >>> > >>> Chain FWDI_public_allow (1 references) > >>> target prot opt source destination > >>> > >>> Chain FWDI_public_deny (1 references) > >>> target prot opt source destination > >>> > >>> Chain FWDI_public_log (1 references) > >>> target prot opt source destination > >>> > >>> Chain FWDO_public (2 references) > >>> target prot opt source destination > >>> FWDO_public_log all -- anywhere anywhere > >>> FWDO_public_deny all -- anywhere anywhere > >>> FWDO_public_allow all -- anywhere anywhere > >>> > >>> Chain FWDO_public_allow (1 references) > >>> target prot opt source destination > >>> > >>> Chain FWDO_public_deny (1 references) > >>> target prot opt source destination > >>> > >>> Chain FWDO_public_log (1 references) > >>> target prot opt source destination > >>> > >>> Chain INPUT_ZONES (1 references) > >>> target prot opt source destination > >>> IN_public all -- anywhere anywhere [goto] > >>> IN_public all -- anywhere anywhere [goto] > >>> > >>> Chain INPUT_ZONES_SOURCE (1 references) > >>> target prot opt source destination > >>> > >>> Chain INPUT_direct (1 references) > >>> target prot opt source destination > >>> REJECT tcp -- anywhere anywhere > >>> multiport > >>> dports ssh match-set fail2ban-default src reject-with > >>> icmp-port-unreachable > >>> > >>> Chain IN_public (2 references) > >>> target prot opt source destination > >>> IN_public_log all -- anywhere anywhere > >>> IN_public_deny all -- anywhere anywhere > >>> IN_public_allow all -- anywhere anywhere > >>> > >>> Chain IN_public_allow (1 references) > >>> target prot opt source destination > >>> ACCEPT tcp -- anywhere anywhere tcp > >>> dpt:submission ctstate NEW > >>> ACCEPT tcp -- anywhere anywhere tcp > >>> dpt:smtp ctstate NEW > >>> ACCEPT tcp -- anywhere anywhere tcp > >>> dpt:ssh ctstate NEW > >>> ACCEPT tcp -- anywhere anywhere tcp > >>> dpt:imaps ctstate NEW > >>> > >>> Chain IN_public_deny (1 references) > >>> target prot opt source destination > >>> > >>> Chain IN_public_log (1 references) > >>> target prot opt source destination > >>> > >>> Chain OUTPUT_direct (1 references) > >>> target prot opt source destination > >>> > >>> > Ted, > >>> > You might have a look at you iptables filter table to see if you are > >>> > jumping to the chain correctly. Fail2ban does a pretty good job of > >>> > putting the rules in the filter, but you still might have a rule like a > >>> > default accept that is allowing the connection before the jail > >>> > drops/rejects it. > >>> > >>> On 06/14/2015 01:33 PM, Arch Architecht wrote: > >>> > I would check on iptables' order as Harrison said. I did mess around > >>> > with my bantimes since some hosts have some sort of "intelligent" > >>> > scanner which tries a few hrs after they are banned or they come back a > >>> > few days later. My personal bantime is 1234564890 which is long enough > >>> > for me :D > >>> > > >>> > In any case, post an output of your iptables -L or your saved iptables > >>> > from /etc/sysconfig. I use centos 6 so your file may be elsewhere. > >>> > > >>> > Regards, > >>> > Arch > >>> > > >>> > On Jun 14, 2015 7:26 PM, "Ted To" <[email protected] > >>> <mailto:[email protected]> > >>> > <mailto:[email protected]>> wrote: > >>> > > >>> > Hi Arch, > >>> > > >>> > I null routed that IP address and within a few seconds, another IP > >>> > address started hitting me. I null routed that IP and it seems to > >>> > have stopped for the moment. With the exception of specifying a > >>> > destemail address in jail.local, my configuration is the default > >>> > Centos 7 epel config with the addition of the jail.d/sshd.local > >>> > file > >>> > I posted. > >>> > > >>> > Why would changing the bantime and findtime affect this behavior? > >>> > (Just trying to understand.) > >>> > > >>> > Thanks, > >>> > Ted > >>> > > >>> > On 2015-06-14 12:02 pm, Arch Architecht wrote: > >>> > > >>> > I would null route the ip and check my configs again. You may > >>> > need to > >>> > change your bantime and findtime. > >>> > > >>> > Regards, > >>> > > >>> > Arch > >>> > On Jun 14, 2015 5:56 PM, "Ted To" <[email protected] > >>> <mailto:[email protected]> > >>> > <mailto:[email protected]>> wrote: > >>> > > >>> > Hi, > >>> > > >>> > I have a Centos 7 installation where an IP address that has > >>> > been > >>> > banned > >>> > appears to be able to continue to attempt ssh connections. > >>> > My > >>> > sshd.local is: > >>> > > >>> > [sshd] > >>> > enabled = true > >>> > bantime = 86400 > >>> > findtime = 3600 > >>> > maxretry = 3 > >>> > protocol = all > >>> > > >>> > Despite this, I am currently being continuously hit by > >>> > 43.255.188.169 > >>> > (log snippets follow). > >>> > > >>> > Any ideas what I have done wrong? > >>> > > >>> > Thanks, > >>> > Ted > >>> > > >>> > 2015-06-14 11:33:46,545 fail2ban.filter [28524]: INFO > >>> > [sshd] > >>> > Found 43.255.188.169 > >>> > 2015-06-14 11:33:48,350 fail2ban.filter [28524]: INFO > >>> > [sshd] > >>> > Found 43.255.188.169 > >>> > 2015-06-14 11:33:50,421 fail2ban.filter [28524]: INFO > >>> > [sshd] > >>> > Found 43.255.188.169 > >>> > 2015-06-14 11:33:51,086 fail2ban.actions [28524]: NOTICE > >>> > [sshd] > >>> > 43.255.188.169 already banned > >>> > 2015-06-14 11:33:53,104 fail2ban.filter [28524]: INFO > >>> > [sshd] > >>> > Found 43.255.188.169 > >>> > 2015-06-14 11:33:53,734 fail2ban.filter [28524]: INFO > >>> > [sshd] > >>> > Found 43.255.188.169 > >>> > 2015-06-14 11:33:55,499 fail2ban.filter [28524]: INFO > >>> > [sshd] > >>> > Found 43.255.188.169 > >>> > 2015-06-14 11:33:56,092 fail2ban.actions [28524]: NOTICE > >>> > [sshd] > >>> > 43.255.188.169 already banned > >>> > 2015-06-14 11:33:57,530 fail2ban.filter [28524]: INFO > >>> > [sshd] > >>> > Found 43.255.188.169 > >>> > 2015-06-14 11:34:00,508 fail2ban.filter [28524]: INFO > >>> > [sshd] > >>> > Found 43.255.188.169 > >>> > 2015-06-14 11:34:01,130 fail2ban.filter [28524]: INFO > >>> > [sshd] > >>> > Found 43.255.188.169 > >>> > 2015-06-14 11:34:02,100 fail2ban.actions [28524]: NOTICE > >>> > [sshd] > >>> > 43.255.188.169 already banned > >>> > > >>> > and > >>> > > >>> > Jun 14 11:36:25 kahlo sshd[28890]: pam_unix(sshd:auth): > >>> > authentication > >>> > failure; logname= uid=0 euid=0 tty=ssh ruser= > >>> > rhost=43.255.188.169 > >>> > user=root > >>> > Jun 14 11:36:27 kahlo sshd[28890]: Failed password for > >>> > invalid user > >>> > root > >>> > from 43.255.188.169 port 52618 ssh2 > >>> > Jun 14 11:36:29 kahlo sshd[28890]: Failed password for > >>> > invalid user > >>> > root > >>> > from 43.255.188.169 port 52618 ssh2 > >>> > Jun 14 11:36:31 kahlo sshd[28890]: Failed password for > >>> > invalid user > >>> > root > >>> > from 43.255.188.169 port 52618 ssh2 > >>> > Jun 14 11:36:31 kahlo sshd[28890]: Received disconnect from > >>> > 43.255.188.169 [1]: 11: [preauth] > >>> > Jun 14 11:36:31 kahlo sshd[28890]: PAM 2 more > >>> > authentication > >>> > failures; > >>> > logname= uid=0 euid=0 tty=ssh ruser= rhost=43.255.188.169 > >>> > user=root > >>> > Jun 14 11:36:32 kahlo sshd[28892]: User root from > >>> > 43.255.188.169 > >>> > not > >>> > allowed because not listed in AllowUsers > >>> > Jun 14 11:36:32 kahlo sshd[28892]: pam_unix(sshd:auth): > >>> > authentication > >>> > failure; logname= uid=0 euid=0 tty=ssh ruser= > >>> > rhost=43.255.188.169 > >>> > user=root > >>> > Jun 14 11:36:34 kahlo sshd[28892]: Failed password for > >>> > invalid user > >>> > root > >>> > from 43.255.188.169 port 38784 ssh2 > >>> > Jun 14 11:36:36 kahlo sshd[28892]: Failed password for > >>> > invalid user > >>> > root > >>> > from 43.255.188.169 port 38784 ssh2 > >>> > Jun 14 11:36:37 kahlo sshd[28892]: Failed password for > >>> > invalid user > >>> > root > >>> > from 43.255.188.169 port 38784 ssh2 > >>> > Jun 14 11:36:37 kahlo sshd[28892]: Received disconnect from > >>> > 43.255.188.169 [1]: 11: [preauth] > >>> > Jun 14 11:36:37 kahlo sshd[28892]: PAM 2 more > >>> > authentication > >>> > failures; > >>> > logname= uid=0 euid=0 tty=ssh ruser= rhost=43.255.188.169 > >>> > user=root > >>> > Jun 14 11:36:38 kahlo sshd[28894]: User root from > >>> > 43.255.188.169 > >>> > not > >>> > allowed because not listed in AllowUsers > >>> > Jun 14 11:36:38 kahlo sshd[28894]: pam_unix(sshd:auth): > >>> > authentication > >>> > failure; logname= uid=0 euid=0 tty=ssh ruser= > >>> > rhost=43.255.188.169 > >>> > user=root > >>> > Jun 14 11:36:40 kahlo sshd[28894]: Failed password for > >>> > invalid user > >>> > root > >>> > from 43.255.188.169 port 53258 ssh2 > >>> > Jun 14 11:36:42 kahlo sshd[28894]: Failed password for > >>> > invalid user > >>> > root > >>> > from 43.255.188.169 port 53258 ssh2 > >>> > Jun 14 11:36:44 kahlo sshd[28894]: Failed password for > >>> > invalid user > >>> > root > >>> > from 43.255.188.169 port 53258 ssh2 > >>> > Jun 14 11:36:44 kahlo sshd[28894]: Received disconnect from > >>> > 43.255.188.169 [1]: 11: [preauth] > >>> > Jun 14 11:36:44 kahlo sshd[28894]: PAM 2 more > >>> > authentication > >>> > failures; > >>> > logname= uid=0 euid=0 tty=ssh ruser= rhost=43.255.188.169 > >>> > user=root > >>> > > >>> > > >>> > > >>> > > >>> ------------------------------------------------------------------------------ > >>> > > >>> > _______________________________________________ > >>> > Fail2ban-users mailing list > >>> > [email protected] > >>> <mailto:[email protected]> > >>> > <mailto:[email protected]> > >>> > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > >>> > [2] > >>> > > >>> > > >>> > > >>> > Links: > >>> > ------ > >>> > [1] http://43.255.188.169 > >>> > [2] https://lists.sourceforge.net/lists/listinfo/fail2ban-users > >>> > > >>> > >>> > >>> ------------------------------------------------------------------------------ > >>> _______________________________________________ > >>> Fail2ban-users mailing list > >>> [email protected] > >>> <mailto:[email protected]> > >>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > >> > >> ------------------------------------------------------------------------------ > >> _______________________________________________ > >> Fail2ban-users mailing list > >> [email protected] > >> <mailto:[email protected]> > >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > > > > > > ------------------------------------------------------------------------------ > > > > > > > > _______________________________________________ > > Fail2ban-users mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > > > ------------------------------------------------------------------------------ > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
