You didn't provide your jail so I'm just guessing:
You should use one of the iptables actions instead of firewallcmd.
For my Shorewall setup, I define my ipsets in /etc/shorewall/init:
ipset -exist create fail2ban-IpPort hash:ip,port timeout 3600
ipset -exist create fail2ban-Ip hash:ip timeout 86400
I don't have 'actionunban' defined; I just let the ipset timeout value expire
which removes the entry.
/etc/fail2ban/action.d/my_ipset_ip.conf (IP blocking):
[INCLUDES]
before = iptables-blocktype.conf
[Definition]
actioncheck =
actionstart =
actionstop =
actionban = ipset add fail2ban-<name> <ip> timeout <my_timeout> -exist
#actionunban = ipset del fail2ban-<name> <ip> -exist
actionunban =
[Init]
name = Ip
port = ssh
protocol = tcp
my_timeout = 3600
/etc/fail2ban/action.d/my_ipset_ipport.conf (IP and port blocking):
[INCLUDES]
before = iptables-blocktype.conf
[Definition]
actioncheck =
actionstart =
actionstop =
actionban = ipset add fail2ban-<name> <ip>,<protocol>:<port> timeout
<my_timeout> -exist
#actionunban = ipset del fail2ban-<name> <ip>,<protocol>:<port> -exist
actionunban =
[Init]
name = IpPort
port = http
protocol = tcp
my_timeout = 3600
and a jail.local entry:
[postfix-sasl]
#enabled = false
enabled = true
filter = sasl
action = my_ipset_ipport[port=smtp, my_timeout=14400]
my_ipset_ipport2[port=smtps, my_timeout=14400]
my_ipset_ipport3[port=submission, my_timeout=14400]
logpath = /var/log/maillog
maxretry = 2
bantime = 60
findtime = 7200
Note that my_ipset_ipport{2,3} are symlinks to my_ipset_ipport since
fail2ban won't repeat an action. Also, with a short 'bantime' if an attacker
keeps banging the port, he'll just keep resetting the timeout back to
'my_timeout'.
I have two additional ipsets for Shorewall's use:
ipset -exist create IpPort3600 hash:ip,port timeout 3600
ipset -exist create IpOneDay hash:ip timeout 86400
/etc/shorewall/rules:
DROP inet:+IpPort3600[src,dst] fw
DROP inet:+IpOneDay[src,dst] fw
ADD(+IpPort3600:src,dst):info:ADD,IpPort3600 inet fw tcp,udp domain
ADD(+IpOneDay:src):info:ADD,IpOneDay inet fw tcp
ftp,sftp,ssh,telnet,telnets,exec,login,shell
ADD(+IpOneDay:src):info:ADD,IpOneDay inet fw tcp mysql
ADD(+IpOneDay:src):info:ADD,IpOneDay inet fw udp http,https
# no such udp service
ADD(+IpOneDay:src):info:ADD,IpOneDay inet fw tcp 8080,8443
ADD(+IpOneDay:src):info:ADD,IpOneDay inet fw tcp 5900
# vnc
ADD(+IpOneDay:src):info:ADD,IpOneDay inet fw tcp,udp
ms-sql-s,ms-sql-m
ADD(+IpOneDay:src):info:ADD,IpOneDay inet fw tcp 3389
# rdp
DROP inet:+IpPort3600[src,dst] fw
DROP inet:+IpOneDay[src,dst] fw
Attackers get logged once and thereafter are silently dropped until their
timeout is reached.
HTH,
Bill
On 2/2/2016 10:31 AM, Alex wrote:
Hi,
I'm receiving a ton of attempts to reach services on my network for
hosts and/or services that don't exist, presumably in an attempt to
compromise those services.
It's at the point where it's consuming a sizable amount of bandwidth.
I've tried to write a fail2ban rule on the firewall, which also has
shorewall installed, but it won't start because I don't have firewalld
also running.
Is it possible to use fail2ban without firewalld? I don't need
firewalld running on a host where there is already shorewall running.
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m
multiport --dports domain -m set --match-set fail2ban-firewall src -j
REJECT --reject-with icmp-port-unreachable -- returned 252
2016-02-02 10:25:32,258 fail2ban.actions [23608]: ERROR
Failed to start jail 'firewall' action 'firewallcmd-ipset': Error
starting action
Thanks,
Alex
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
