By design, f2b (when restarting) unblocks all blocked IP addresses within its own DB, it then removes the f2b chains from iptables. It then starts up creating the chains and re-adds the IP's that are within the selected time scale of bans.
It does not remove anything other than its own chains in IPtables. How do you have the load balanced rules set? are they persistent in a file that is always run from server start up? I have a reset firewall script that once f2b is shutdown, i run and it reloads my own pre-set rules on iptables, then i fire up f2b, i've never had it remove rules, or chains that are not starting "f2b-chainname" (i.e f2b-php-url-open) etc. if you do a iptables -n -L do your f2b chains all start with chain f2b- ? if the f2b chains are missing and all your rules are not starting as above, i suppose there is a chance it could remove rules it never created, although i would doubt that. I hope this helps a little. Steve On 06/04/2016 13:39, Alexander R. Gruber wrote: > Hello, > > I've installed fail2ban on my webserver nodes, which sit behind a > Loadbalancer. > System is Ubuntu 14.04, fail2ban is version v0.9.4 > > I noticed that fail2ban seems to "recover" from time to time, reloading > firewall rules from some persistent database. > The problem: When this happens, the NAT firewall rules, necessary for a > working Load Balancer Setup vanish - they seem to be deleted. > My theory: fail2ban deletes all rules and "restores" them from the > fail2ban database - which does not take the NAT rules into account. > > Result: The nodes become unreachable and the Load Balancer drops them. > > My Question: How can I prevent fail2ban from destroying my NAT firewall > rules? > > Those (deleted rules) are: > > root@xxx:~# iptables -L -t nat > > Chain PREROUTING (policy ACCEPT) > > target prot opt source destination > > DNAT tcp -- anywhere 185.55.xxx.xxx tcp > dpt:http to:185.55.xxx.xxx:80 > > DNAT tcp -- anywhere 185.55.xxx.xxx tcp > dpt:https to:185.55.xxx.xxx:443 > > Chain INPUT (policy ACCEPT) > > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > > target prot opt source destination > > Chain POSTROUTING (policy ACCEPT) > > target prot opt source destination > > > Thank you for your help! > Best Regards, > Alexander > > > In the Log File this reads as: > <snip> > > 2016-04-05 18:09:43,391 fail2ban.filter [5625]: INFO [ssh] > Found 58.218.xxx.xxx > > 2016-04-05 18:09:43,392 fail2ban.filter [5625]: INFO [sshd] > Found 58.218.xxx.xxx > > 2016-04-05 18:09:51,180 fail2ban.filter [5625]: INFO [sshd] > Found 58.218.xxx.xxx > > 2016-04-05 18:09:51,181 fail2ban.filter [5625]: INFO [ssh] > Found 58.218.xxx.xxx > > 2016-04-05 18:09:51,804 fail2ban.actions [5625]: NOTICE [sshd] > Ban 58.218.xxx.xxx > > 2016-04-05 18:09:53,137 fail2ban.filter [5625]: INFO [ssh] > Found 58.218.xxx.xxx > > 2016-04-05 18:09:53,138 fail2ban.filter [5625]: INFO [sshd] > Found 58.218.xxx.xxx > > 2016-04-05 18:18:40,190 fail2ban.server [3433]: INFO Changed > logging target to /var/log/fail2ban.log for Fail2ban v0.9.4 > > 2016-04-05 18:18:40,198 fail2ban.database [3433]: INFO > Connected to fail2ban persistent database > '/var/lib/fail2ban/fail2ban.sqlite3' > > > Afterwards, the jails are re-initiated: > > 2016-04-05 18:18:40,207 fail2ban.jail [3433]: INFO Creating > new jail 'sshd' > > 2016-04-05 18:18:40,228 fail2ban.jail [3433]: INFO Jail > 'sshd' uses pyinotify > > 2016-04-05 18:18:40,238 fail2ban.filter [3433]: INFO Set jail > log file encoding to ANSI_X3.4-1968 > > 2016-04-05 18:18:40,241 fail2ban.jail [3433]: INFO > Initiated 'pyinotify' backend > > 2016-04-05 18:18:40,256 fail2ban.filter [3433]: INFO Added > logfile = /var/log/auth.log > > 2016-04-05 18:18:40,261 fail2ban.filter [3433]: INFO Set > maxRetry = 3 > > 2016-04-05 18:18:40,262 fail2ban.filter [3433]: INFO Set jail > log file encoding to ANSI_X3.4-1968 > > 2016-04-05 18:18:40,262 fail2ban.actions [3433]: INFO Set > banTime = 7200 > > 2016-04-05 18:18:40,262 fail2ban.filter [3433]: INFO Set > findtime = 600 > > 2016-04-05 18:18:40,263 fail2ban.filter [3433]: INFO Set > maxlines = 10 > > 2016-04-05 18:18:40,297 fail2ban.server [3433]: INFO Jail > sshd is not a JournalFilter instance > > 2016-04-05 18:18:40,302 fail2ban.jail [3433]: INFO Creating > new jail 'apache-badbots' > > 2016-04-05 18:18:40,302 fail2ban.jail [3433]: INFO Jail > 'apache-badbots' uses pyinotify > > 2016-04-05 18:18:40,303 fail2ban.filter [3433]: INFO Set jail > log file encoding to ANSI_X3.4-1968 > > 2016-04-05 18:18:40,306 fail2ban.jail [3433]: INFO > Initiated 'pyinotify' backend > > 2016-04-05 18:18:40,320 fail2ban.filter [3433]: INFO Added > logfile = /var/log/apache2/error.log > > 2016-04-05 18:18:40,326 fail2ban.filter [3433]: INFO Set > maxRetry = 2 > > 2016-04-05 18:18:40,326 fail2ban.filter [3433]: INFO Set jail > log file encoding to ANSI_X3.4-1968 > > 2016-04-05 18:18:40,326 fail2ban.actions [3433]: INFO Set > banTime = 172800 > > 2016-04-05 18:18:40,327 fail2ban.filter [3433]: INFO Set > findtime = 600 > > 2016-04-05 18:18:40,337 fail2ban.jail [3433]: INFO Creating > new jail 'apache-overflows' > > 2016-04-05 18:18:40,338 fail2ban.jail [3433]: INFO Jail > 'apache-overflows' uses pyinotify > > 2016-04-05 18:18:40,338 fail2ban.filter [3433]: INFO Set jail > log file encoding to ANSI_X3.4-1968 > > 2016-04-05 18:18:40,341 fail2ban.jail [3433]: INFO > Initiated 'pyinotify' backend > > 2016-04-05 18:18:40,356 fail2ban.filter [3433]: INFO Added > logfile = /var/log/apache2/error.log > > 2016-04-05 18:18:40,361 fail2ban.filter [3433]: INFO Set > maxRetry = 2 > > 2016-04-05 18:18:40,362 fail2ban.filter [3433]: INFO Set jail > log file encoding to ANSI_X3.4-1968 > > 2016-04-05 18:18:40,362 fail2ban.actions [3433]: INFO Set > banTime = 7200 > > 2016-04-05 18:18:40,363 fail2ban.filter [3433]: INFO Set > findtime = 600 > > 2016-04-05 18:18:40,370 fail2ban.jail [3433]: INFO Creating > new jail 'apache-nohome' > > 2016-04-05 18:18:40,370 fail2ban.jail [3433]: INFO Jail > 'apache-nohome' uses pyinotify > > 2016-04-05 18:18:40,371 fail2ban.filter [3433]: INFO Set jail > log file encoding to ANSI_X3.4-1968 > > 2016-04-05 18:18:40,373 fail2ban.jail [3433]: INFO > Initiated 'pyinotify' backend > > 2016-04-05 18:18:40,385 fail2ban.filter [3433]: INFO Added > logfile = /var/log/apache2/error.log > > 2016-04-05 18:18:40,389 fail2ban.filter [3433]: INFO Set > maxRetry = 2 > > 2016-04-05 18:18:40,390 fail2ban.filter [3433]: INFO Set jail > log file encoding to ANSI_X3.4-1968 > > 2016-04-05 18:18:40,390 fail2ban.actions [3433]: INFO Set > banTime = 7200 > > 2016-04-05 18:18:40,391 fail2ban.filter [3433]: INFO Set > findtime = 600 > > 2016-04-05 18:18:40,397 fail2ban.jail [3433]: INFO Creating > new jail 'php-url-fopen' > > 2016-04-05 18:18:40,397 fail2ban.jail [3433]: INFO Jail > 'php-url-fopen' uses pyinotify > > 2016-04-05 18:18:40,398 fail2ban.filter [3433]: INFO Set jail > log file encoding to ANSI_X3.4-1968 > > 2016-04-05 18:18:40,400 fail2ban.jail [3433]: INFO > Initiated 'pyinotify' backend > > 2016-04-05 18:18:40,413 fail2ban.filter [3433]: INFO Added > logfile = /var/log/apache2/other_vhosts_access.log > > 2016-04-05 18:18:40,425 fail2ban.filter [3433]: INFO Added > logfile = /var/log/apache2/access.log > > 2016-04-05 18:18:40,431 fail2ban.filter [3433]: INFO Set > maxRetry = 3 > > 2016-04-05 18:18:40,431 fail2ban.filter [3433]: INFO Set jail > log file encoding to ANSI_X3.4-1968 > > 2016-04-05 18:18:40,431 fail2ban.actions [3433]: INFO Set > banTime = 7200 > > 2016-04-05 18:18:40,432 fail2ban.filter [3433]: INFO Set > findtime = 600 > > 2016-04-05 18:18:40,438 fail2ban.jail [3433]: INFO Creating > new jail 'ssh' > > 2016-04-05 18:18:40,438 fail2ban.jail [3433]: INFO Jail > 'ssh' uses pyinotify > > 2016-04-05 18:18:40,439 fail2ban.filter [3433]: INFO Set jail > log file encoding to ANSI_X3.4-1968 > > 2016-04-05 18:18:40,442 fail2ban.jail [3433]: INFO > Initiated 'pyinotify' backend > > 2016-04-05 18:18:40,456 fail2ban.filter [3433]: INFO Added > logfile = /var/log/auth.log > > 2016-04-05 18:18:40,461 fail2ban.filter [3433]: INFO Set > maxRetry = 6 > > 2016-04-05 18:18:40,461 fail2ban.filter [3433]: INFO Set jail > log file encoding to ANSI_X3.4-1968 > > 2016-04-05 18:18:40,462 fail2ban.actions [3433]: INFO Set > banTime = 7200 > > 2016-04-05 18:18:40,462 fail2ban.filter [3433]: INFO Set > findtime = 600 > > 2016-04-05 18:18:40,462 fail2ban.filter [3433]: INFO Set > maxlines = 10 > > 2016-04-05 18:18:40,482 fail2ban.server [3433]: INFO Jail ssh > is not a JournalFilter instance > > 2016-04-05 18:18:40,489 fail2ban.jail [3433]: INFO Creating > new jail 'apache' > > 2016-04-05 18:18:40,489 fail2ban.jail [3433]: INFO Jail > 'apache' uses pyinotify > > 2016-04-05 18:18:40,490 fail2ban.filter [3433]: INFO Set jail > log file encoding to ANSI_X3.4-1968 > > 2016-04-05 18:18:40,493 fail2ban.jail [3433]: INFO > Initiated 'pyinotify' backend > > 2016-04-05 18:18:40,508 fail2ban.filter [3433]: INFO Added > logfile = /var/log/apache2/error.log > > 2016-04-05 18:18:40,513 fail2ban.filter [3433]: INFO Set > maxRetry = 5 > > 2016-04-05 18:18:40,514 fail2ban.filter [3433]: INFO Set jail > log file encoding to ANSI_X3.4-1968 > > 2016-04-05 18:18:40,514 fail2ban.actions [3433]: INFO Set > banTime = 7200 > > 2016-04-05 18:18:40,514 fail2ban.filter [3433]: INFO Set > findtime = 600 > > 2016-04-05 18:18:40,535 fail2ban.jail [3433]: INFO Creating > new jail 'hn-apache-retry-ban' > > 2016-04-05 18:18:40,535 fail2ban.jail [3433]: INFO Jail > 'hn-apache-retry-ban' uses pyinotify > > 2016-04-05 18:18:40,536 fail2ban.filter [3433]: INFO Set jail > log file encoding to ANSI_X3.4-1968 > > 2016-04-05 18:18:40,539 fail2ban.jail [3433]: INFO > Initiated 'pyinotify' backend > > 2016-04-05 18:18:40,553 fail2ban.filter [3433]: INFO Added > logfile = /var/log/apache2/access.log > > 2016-04-05 18:18:40,559 fail2ban.filter [3433]: INFO Set > maxRetry = 5 > > 2016-04-05 18:18:40,560 fail2ban.filter [3433]: INFO Set jail > log file encoding to ANSI_X3.4-1968 > > 2016-04-05 18:18:40,560 fail2ban.actions [3433]: INFO Set > banTime = 7200 > > 2016-04-05 18:18:40,560 fail2ban.filter [3433]: INFO Set > findtime = 600 > > 2016-04-05 18:18:40,576 fail2ban.jail [3433]: INFO Jail > 'sshd' started > > 2016-04-05 18:18:40,577 fail2ban.jail [3433]: INFO Jail > 'apache-badbots' started > > 2016-04-05 18:18:40,579 fail2ban.jail [3433]: INFO Jail > 'apache-overflows' started > > 2016-04-05 18:18:40,581 fail2ban.jail [3433]: INFO Jail > 'apache-nohome' started > > 2016-04-05 18:18:40,584 fail2ban.jail [3433]: INFO Jail > 'php-url-fopen' started > > 2016-04-05 18:18:40,586 fail2ban.jail [3433]: INFO Jail > 'ssh' started > > 2016-04-05 18:18:40,588 fail2ban.jail [3433]: INFO Jail > 'apache' started > > 2016-04-05 18:18:40,591 fail2ban.jail [3433]: INFO Jail > 'hn-apache-retry-ban' started > > Afterwards the Bans seem to be propagated: > > 2016-04-05 18:18:40,675 fail2ban.actions [3433]: NOTICE [sshd] > Ban 146.0.xxx.xx > > 2016-04-05 18:18:41,626 fail2ban.actions [3433]: NOTICE [sshd] > Ban 183.3.xxx.xxx > > 2016-04-05 18:18:41,837 fail2ban.actions [3433]: NOTICE [sshd] > Ban 222.186.xxx.xxx > > 2016-04-05 18:18:42,047 fail2ban.actions [3433]: NOTICE [sshd] > Ban 58.218.xxx.xxx > > 2016-04-05 18:18:42,257 fail2ban.actions [3433]: NOTICE [sshd] > Ban 58.218.xxx.xxx > > 2016-04-05 18:18:42,467 fail2ban.actions [3433]: NOTICE [sshd] > Ban 58.218.xxx.xxx > > 2016-04-05 18:18:42,676 fail2ban.actions [3433]: NOTICE [sshd] > Ban 58.218.xxx.xxx > > 2016-04-05 18:18:42,887 fail2ban.actions [3433]: NOTICE [sshd] > Ban 58.218.xxx.xxx > > 2016-04-05 18:18:43,096 fail2ban.actions [3433]: NOTICE [sshd] > Ban 58.218.xxx.xxx > > <snap> > > > > --- > Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft. > https://www.avast.com/antivirus > > > ------------------------------------------------------------------------------ > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users ------------------------------------------------------------------------------ _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
