Hello, I've installed fail2ban on my webserver nodes, which sit behind a Loadbalancer. System is Ubuntu 14.04, fail2ban is version v0.9.4
I noticed that fail2ban seems to "recover" from time to time, reloading firewall rules from some persistent database. The problem: When this happens, the NAT firewall rules, necessary for a working Load Balancer Setup vanish - they seem to be deleted. My theory: fail2ban deletes all rules and "restores" them from the fail2ban database - which does not take the NAT rules into account. Result: The nodes become unreachable and the Load Balancer drops them. My Question: How can I prevent fail2ban from destroying my NAT firewall rules? Those (deleted rules) are: root@xxx:~# iptables -L -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- anywhere 185.55.xxx.xxx tcp dpt:http to:185.55.xxx.xxx:80 DNAT tcp -- anywhere 185.55.xxx.xxx tcp dpt:https to:185.55.xxx.xxx:443 Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination Thank you for your help! Best Regards, Alexander In the Log File this reads as: <snip> 2016-04-05 18:09:43,391 fail2ban.filter [5625]: INFO [ssh] Found 58.218.xxx.xxx 2016-04-05 18:09:43,392 fail2ban.filter [5625]: INFO [sshd] Found 58.218.xxx.xxx 2016-04-05 18:09:51,180 fail2ban.filter [5625]: INFO [sshd] Found 58.218.xxx.xxx 2016-04-05 18:09:51,181 fail2ban.filter [5625]: INFO [ssh] Found 58.218.xxx.xxx 2016-04-05 18:09:51,804 fail2ban.actions [5625]: NOTICE [sshd] Ban 58.218.xxx.xxx 2016-04-05 18:09:53,137 fail2ban.filter [5625]: INFO [ssh] Found 58.218.xxx.xxx 2016-04-05 18:09:53,138 fail2ban.filter [5625]: INFO [sshd] Found 58.218.xxx.xxx 2016-04-05 18:18:40,190 fail2ban.server [3433]: INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.4 2016-04-05 18:18:40,198 fail2ban.database [3433]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3' Afterwards, the jails are re-initiated: 2016-04-05 18:18:40,207 fail2ban.jail [3433]: INFO Creating new jail 'sshd' 2016-04-05 18:18:40,228 fail2ban.jail [3433]: INFO Jail 'sshd' uses pyinotify 2016-04-05 18:18:40,238 fail2ban.filter [3433]: INFO Set jail log file encoding to ANSI_X3.4-1968 2016-04-05 18:18:40,241 fail2ban.jail [3433]: INFO Initiated 'pyinotify' backend 2016-04-05 18:18:40,256 fail2ban.filter [3433]: INFO Added logfile = /var/log/auth.log 2016-04-05 18:18:40,261 fail2ban.filter [3433]: INFO Set maxRetry = 3 2016-04-05 18:18:40,262 fail2ban.filter [3433]: INFO Set jail log file encoding to ANSI_X3.4-1968 2016-04-05 18:18:40,262 fail2ban.actions [3433]: INFO Set banTime = 7200 2016-04-05 18:18:40,262 fail2ban.filter [3433]: INFO Set findtime = 600 2016-04-05 18:18:40,263 fail2ban.filter [3433]: INFO Set maxlines = 10 2016-04-05 18:18:40,297 fail2ban.server [3433]: INFO Jail sshd is not a JournalFilter instance 2016-04-05 18:18:40,302 fail2ban.jail [3433]: INFO Creating new jail 'apache-badbots' 2016-04-05 18:18:40,302 fail2ban.jail [3433]: INFO Jail 'apache-badbots' uses pyinotify 2016-04-05 18:18:40,303 fail2ban.filter [3433]: INFO Set jail log file encoding to ANSI_X3.4-1968 2016-04-05 18:18:40,306 fail2ban.jail [3433]: INFO Initiated 'pyinotify' backend 2016-04-05 18:18:40,320 fail2ban.filter [3433]: INFO Added logfile = /var/log/apache2/error.log 2016-04-05 18:18:40,326 fail2ban.filter [3433]: INFO Set maxRetry = 2 2016-04-05 18:18:40,326 fail2ban.filter [3433]: INFO Set jail log file encoding to ANSI_X3.4-1968 2016-04-05 18:18:40,326 fail2ban.actions [3433]: INFO Set banTime = 172800 2016-04-05 18:18:40,327 fail2ban.filter [3433]: INFO Set findtime = 600 2016-04-05 18:18:40,337 fail2ban.jail [3433]: INFO Creating new jail 'apache-overflows' 2016-04-05 18:18:40,338 fail2ban.jail [3433]: INFO Jail 'apache-overflows' uses pyinotify 2016-04-05 18:18:40,338 fail2ban.filter [3433]: INFO Set jail log file encoding to ANSI_X3.4-1968 2016-04-05 18:18:40,341 fail2ban.jail [3433]: INFO Initiated 'pyinotify' backend 2016-04-05 18:18:40,356 fail2ban.filter [3433]: INFO Added logfile = /var/log/apache2/error.log 2016-04-05 18:18:40,361 fail2ban.filter [3433]: INFO Set maxRetry = 2 2016-04-05 18:18:40,362 fail2ban.filter [3433]: INFO Set jail log file encoding to ANSI_X3.4-1968 2016-04-05 18:18:40,362 fail2ban.actions [3433]: INFO Set banTime = 7200 2016-04-05 18:18:40,363 fail2ban.filter [3433]: INFO Set findtime = 600 2016-04-05 18:18:40,370 fail2ban.jail [3433]: INFO Creating new jail 'apache-nohome' 2016-04-05 18:18:40,370 fail2ban.jail [3433]: INFO Jail 'apache-nohome' uses pyinotify 2016-04-05 18:18:40,371 fail2ban.filter [3433]: INFO Set jail log file encoding to ANSI_X3.4-1968 2016-04-05 18:18:40,373 fail2ban.jail [3433]: INFO Initiated 'pyinotify' backend 2016-04-05 18:18:40,385 fail2ban.filter [3433]: INFO Added logfile = /var/log/apache2/error.log 2016-04-05 18:18:40,389 fail2ban.filter [3433]: INFO Set maxRetry = 2 2016-04-05 18:18:40,390 fail2ban.filter [3433]: INFO Set jail log file encoding to ANSI_X3.4-1968 2016-04-05 18:18:40,390 fail2ban.actions [3433]: INFO Set banTime = 7200 2016-04-05 18:18:40,391 fail2ban.filter [3433]: INFO Set findtime = 600 2016-04-05 18:18:40,397 fail2ban.jail [3433]: INFO Creating new jail 'php-url-fopen' 2016-04-05 18:18:40,397 fail2ban.jail [3433]: INFO Jail 'php-url-fopen' uses pyinotify 2016-04-05 18:18:40,398 fail2ban.filter [3433]: INFO Set jail log file encoding to ANSI_X3.4-1968 2016-04-05 18:18:40,400 fail2ban.jail [3433]: INFO Initiated 'pyinotify' backend 2016-04-05 18:18:40,413 fail2ban.filter [3433]: INFO Added logfile = /var/log/apache2/other_vhosts_access.log 2016-04-05 18:18:40,425 fail2ban.filter [3433]: INFO Added logfile = /var/log/apache2/access.log 2016-04-05 18:18:40,431 fail2ban.filter [3433]: INFO Set maxRetry = 3 2016-04-05 18:18:40,431 fail2ban.filter [3433]: INFO Set jail log file encoding to ANSI_X3.4-1968 2016-04-05 18:18:40,431 fail2ban.actions [3433]: INFO Set banTime = 7200 2016-04-05 18:18:40,432 fail2ban.filter [3433]: INFO Set findtime = 600 2016-04-05 18:18:40,438 fail2ban.jail [3433]: INFO Creating new jail 'ssh' 2016-04-05 18:18:40,438 fail2ban.jail [3433]: INFO Jail 'ssh' uses pyinotify 2016-04-05 18:18:40,439 fail2ban.filter [3433]: INFO Set jail log file encoding to ANSI_X3.4-1968 2016-04-05 18:18:40,442 fail2ban.jail [3433]: INFO Initiated 'pyinotify' backend 2016-04-05 18:18:40,456 fail2ban.filter [3433]: INFO Added logfile = /var/log/auth.log 2016-04-05 18:18:40,461 fail2ban.filter [3433]: INFO Set maxRetry = 6 2016-04-05 18:18:40,461 fail2ban.filter [3433]: INFO Set jail log file encoding to ANSI_X3.4-1968 2016-04-05 18:18:40,462 fail2ban.actions [3433]: INFO Set banTime = 7200 2016-04-05 18:18:40,462 fail2ban.filter [3433]: INFO Set findtime = 600 2016-04-05 18:18:40,462 fail2ban.filter [3433]: INFO Set maxlines = 10 2016-04-05 18:18:40,482 fail2ban.server [3433]: INFO Jail ssh is not a JournalFilter instance 2016-04-05 18:18:40,489 fail2ban.jail [3433]: INFO Creating new jail 'apache' 2016-04-05 18:18:40,489 fail2ban.jail [3433]: INFO Jail 'apache' uses pyinotify 2016-04-05 18:18:40,490 fail2ban.filter [3433]: INFO Set jail log file encoding to ANSI_X3.4-1968 2016-04-05 18:18:40,493 fail2ban.jail [3433]: INFO Initiated 'pyinotify' backend 2016-04-05 18:18:40,508 fail2ban.filter [3433]: INFO Added logfile = /var/log/apache2/error.log 2016-04-05 18:18:40,513 fail2ban.filter [3433]: INFO Set maxRetry = 5 2016-04-05 18:18:40,514 fail2ban.filter [3433]: INFO Set jail log file encoding to ANSI_X3.4-1968 2016-04-05 18:18:40,514 fail2ban.actions [3433]: INFO Set banTime = 7200 2016-04-05 18:18:40,514 fail2ban.filter [3433]: INFO Set findtime = 600 2016-04-05 18:18:40,535 fail2ban.jail [3433]: INFO Creating new jail 'hn-apache-retry-ban' 2016-04-05 18:18:40,535 fail2ban.jail [3433]: INFO Jail 'hn-apache-retry-ban' uses pyinotify 2016-04-05 18:18:40,536 fail2ban.filter [3433]: INFO Set jail log file encoding to ANSI_X3.4-1968 2016-04-05 18:18:40,539 fail2ban.jail [3433]: INFO Initiated 'pyinotify' backend 2016-04-05 18:18:40,553 fail2ban.filter [3433]: INFO Added logfile = /var/log/apache2/access.log 2016-04-05 18:18:40,559 fail2ban.filter [3433]: INFO Set maxRetry = 5 2016-04-05 18:18:40,560 fail2ban.filter [3433]: INFO Set jail log file encoding to ANSI_X3.4-1968 2016-04-05 18:18:40,560 fail2ban.actions [3433]: INFO Set banTime = 7200 2016-04-05 18:18:40,560 fail2ban.filter [3433]: INFO Set findtime = 600 2016-04-05 18:18:40,576 fail2ban.jail [3433]: INFO Jail 'sshd' started 2016-04-05 18:18:40,577 fail2ban.jail [3433]: INFO Jail 'apache-badbots' started 2016-04-05 18:18:40,579 fail2ban.jail [3433]: INFO Jail 'apache-overflows' started 2016-04-05 18:18:40,581 fail2ban.jail [3433]: INFO Jail 'apache-nohome' started 2016-04-05 18:18:40,584 fail2ban.jail [3433]: INFO Jail 'php-url-fopen' started 2016-04-05 18:18:40,586 fail2ban.jail [3433]: INFO Jail 'ssh' started 2016-04-05 18:18:40,588 fail2ban.jail [3433]: INFO Jail 'apache' started 2016-04-05 18:18:40,591 fail2ban.jail [3433]: INFO Jail 'hn-apache-retry-ban' started Afterwards the Bans seem to be propagated: 2016-04-05 18:18:40,675 fail2ban.actions [3433]: NOTICE [sshd] Ban 146.0.xxx.xx 2016-04-05 18:18:41,626 fail2ban.actions [3433]: NOTICE [sshd] Ban 183.3.xxx.xxx 2016-04-05 18:18:41,837 fail2ban.actions [3433]: NOTICE [sshd] Ban 222.186.xxx.xxx 2016-04-05 18:18:42,047 fail2ban.actions [3433]: NOTICE [sshd] Ban 58.218.xxx.xxx 2016-04-05 18:18:42,257 fail2ban.actions [3433]: NOTICE [sshd] Ban 58.218.xxx.xxx 2016-04-05 18:18:42,467 fail2ban.actions [3433]: NOTICE [sshd] Ban 58.218.xxx.xxx 2016-04-05 18:18:42,676 fail2ban.actions [3433]: NOTICE [sshd] Ban 58.218.xxx.xxx 2016-04-05 18:18:42,887 fail2ban.actions [3433]: NOTICE [sshd] Ban 58.218.xxx.xxx 2016-04-05 18:18:43,096 fail2ban.actions [3433]: NOTICE [sshd] Ban 58.218.xxx.xxx <snap> --- Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft. https://www.avast.com/antivirus ------------------------------------------------------------------------------ _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
