Are you sure your set up is correct. If you always want firewall rules to be loaded they need to be loaded on firewall (re)start and not on system start?
Nick On 2016-04-07 12:33, Alexander R. Gruber wrote: > Thank you Steve, for your answer. > > To your questions: > >> How do you have the load balanced rules set? are they persistent in a >> file that is always run from server start up? > > -> I have a startup script, that sets the Firewall NAT rules on every > startup of the system in RC4. > > Every few hours f2b reloads the Firewall rules from its database > (according to the log) and when that happens the NAT rules vanish from > my server - leading to a STOP in service, as the loadbalancing breaks. > > The time this happens is every few hours and always goes hand in hand > with the time in the f2b log where the system does the before > mentioned process of "resetting" and loading stuff from its database. > So I have a strong bias towards f2b being the "culprit" as this is the > only process that fiddles around with the IPtables in the first > instance. > > I also noticed very strange things: > > <snip> > 2016-04-07 13:22:19,849 fail2ban.filter [3526]: INFO [ssh] > Found 183.3.202.xxx > 2016-04-07 13:22:20,294 fail2ban.actions [3526]: NOTICE [sshd] > 183.3.202.200 already banned > 2016-04-07 13:22:21,836 fail2ban.filter [3526]: INFO [ssh] > Found 183.3.202.xxx > 2016-04-07 13:22:21,837 fail2ban.filter [3526]: INFO [sshd] > Found 183.3.202.xxx > 2016-04-07 13:22:28,687 fail2ban.filter [3526]: INFO [sshd] > Found 183.3.202.xxx > 2016-04-07 13:22:28,688 fail2ban.filter [3526]: INFO [ssh] > Found 183.3.202.xxx > 2016-04-07 13:22:30,912 fail2ban.filter [3526]: INFO [ssh] > Found 183.3.202.xxx > 2016-04-07 13:22:30,913 fail2ban.filter [3526]: INFO [sshd] > Found 183.3.202.xxx > 2016-04-07 13:22:31,306 fail2ban.actions [3526]: NOTICE [sshd] > 183.3.202.xxx already banned > 2016-04-07 13:22:31,857 fail2ban.actions [3526]: NOTICE [ssh] > 183.3.202.xxx already banned > 2016-04-07 13:22:42,443 fail2ban.filter [3526]: INFO [sshd] > Found 183.3.202.xxx > 2016-04-07 13:22:42,445 fail2ban.filter [3526]: INFO [ssh] > Found 183.3.202.xxx > 2016-04-07 13:22:44,260 fail2ban.filter [3526]: INFO [sshd] > Found 183.3.202.xxx > 2016-04-07 13:22:44,260 fail2ban.filter [3526]: INFO [ssh] > Found 183.3.202.xxx > 2016-04-07 13:22:50,860 fail2ban.filter [3526]: INFO [sshd] > Found 183.3.202.xxx > 2016-04-07 13:22:50,861 fail2ban.filter [3526]: INFO [ssh] > Found 183.3.202.xxx > 2016-04-07 13:22:51,329 fail2ban.actions [3526]: NOTICE [sshd] > 183.3.202.xxx already banned > 2016-04-07 13:22:53,105 fail2ban.filter [3526]: INFO [sshd] > Found 183.3.202.xxx > 2016-04-07 13:22:53,106 fail2ban.filter [3526]: INFO [ssh] > Found 183.3.202.xxx > 2016-04-07 13:23:00,356 fail2ban.filter [3526]: INFO [ssh] > Found 183.3.202.xxx > 2016-04-07 13:23:00,358 fail2ban.filter [3526]: INFO [sshd] > Found 183.3.202.xxx > 2016-04-07 13:23:01,974 fail2ban.filter [3526]: INFO [ssh] > Found 183.3.202.xxx > 2016-04-07 13:23:01,975 fail2ban.filter [3526]: INFO [sshd] > Found 183.3.202.xxx > 2016-04-07 13:23:02,342 fail2ban.actions [3526]: NOTICE [sshd] > 183.3.202.xxx already banned > 2016-04-07 13:23:02,893 fail2ban.actions [3526]: NOTICE [ssh] > 183.3.202.xxx already banned > root@xxx:~# iptables -L > Chain INPUT (policy ACCEPT) > target prot opt source destination > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > root@bmn1:~# sudo iptables -L > Chain INPUT (policy ACCEPT) > target prot opt source destination > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > The chain rules seem to be empty ... > > root@xxx:~# service fail2ban restart > * Restarting authentication failure monitor fail2ban > root@xxx:~# iptables -n -L > Chain INPUT (policy ACCEPT) > target prot opt source destination > f2b-hn-apache-retry-ban tcp -- 0.0.0.0/0 0.0.0.0/0 > multiport dports 80,443 > f2b-apache tcp -- 0.0.0.0/0 0.0.0.0/0 > multiport dports 80,443 > f2b-ssh tcp -- 0.0.0.0/0 0.0.0.0/0 > multiport dports 22 > f2b-php-url-fopen tcp -- 0.0.0.0/0 0.0.0.0/0 > multiport dports 80,443 > f2b-apache-nohome tcp -- 0.0.0.0/0 0.0.0.0/0 > multiport dports 80,443 > f2b-apache-overflows tcp -- 0.0.0.0/0 0.0.0.0/0 > multiport dports 80,443 > f2b-apache-badbots tcp -- 0.0.0.0/0 0.0.0.0/0 > multiport dports 80,443 > f2b-sshd tcp -- 0.0.0.0/0 0.0.0.0/0 > multiport dports 22 > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > Chain f2b-apache (1 references) > target prot opt source destination > RETURN all -- 0.0.0.0/0 0.0.0.0/0 > > Chain f2b-apache-badbots (1 references) > target prot opt source destination > RETURN all -- 0.0.0.0/0 0.0.0.0/0 > > Chain f2b-apache-nohome (1 references) > target prot opt source destination > RETURN all -- 0.0.0.0/0 0.0.0.0/0 > > Chain f2b-apache-overflows (1 references) > target prot opt source destination > RETURN all -- 0.0.0.0/0 0.0.0.0/0 > > Chain f2b-hn-apache-retry-ban (1 references) > target prot opt source destination > RETURN all -- 0.0.0.0/0 0.0.0.0/0 > > Chain f2b-php-url-fopen (1 references) > target prot opt source destination > RETURN all -- 0.0.0.0/0 0.0.0.0/0 > > Chain f2b-ssh (1 references) > target prot opt source destination > REJECT all -- 221.229.162.xxx 0.0.0.0/0 > reject-with icmp-port-unreachable > REJECT all -- 183.3.202.xxx 0.0.0.0/0 > reject-with icmp-port-unreachable > REJECT all -- 111.13.70.xxx 0.0.0.0/0 > reject-with icmp-port-unreachable > RETURN all -- 0.0.0.0/0 0.0.0.0/0 > > Chain f2b-sshd (1 references) > target prot opt source destination > REJECT all -- 221.229.162.xxx 0.0.0.0/0 > reject-with icmp-port-unreachable > REJECT all -- 186.228.90.xxx 0.0.0.0/0 > reject-with icmp-port-unreachable > REJECT all -- 183.3.202.xxx 0.0.0.0/0 > reject-with icmp-port-unreachable > REJECT all -- 14.139.46.xxx 0.0.0.0/0 > reject-with icmp-port-unreachable > REJECT all -- 111.13.70.xxx 0.0.0.0/0 > reject-with icmp-port-unreachable > RETURN all -- 0.0.0.0/0 0.0.0.0/0 > > After an explicit restart, the system seems to be up and running again > ... > > I feel a bit at loss here ... > > Thanks for any hints! > Alexander > >> By design, f2b (when restarting) unblocks all blocked IP addresses >> within its own DB, it then removes the f2b chains from iptables. It >> then >> starts up creating the chains and re-adds the IP's that are within the >> selected time scale of bans. >> >> It does not remove anything other than its own chains in IPtables. >> >> How do you have the load balanced rules set? are they persistent in a >> file that is always run from server start up? >> >> I have a reset firewall script that once f2b is shutdown, i run and it >> reloads my own pre-set rules on iptables, then i fire up f2b, i've >> never >> had it remove rules, or chains that are not starting "f2b-chainname" >> (i.e f2b-php-url-open) etc. >> >> if you do a iptables -n -L do your f2b chains all start with chain >> f2b- ? >> if the f2b chains are missing and all your rules are not starting as >> above, i suppose there is a chance it could remove rules it never >> created, although i would doubt that. >> >> I hope this helps a little. >> >> Steve > > > --- > Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft. > https://www.avast.com/antivirus > > > ------------------------------------------------------------------------------ > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users ------------------------------------------------------------------------------ _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
