Hallo Nick!
# iptables -V
iptables v1.4.21
# iptables -w
iptables v1.4.21: no command specified
Try `iptables -h' or 'iptables --help' for more information.
What you said before - that the firewall rules need to be loaded at
every start/restart of the firewall itself, not only on system start
absolutely makes sense!
So IF f2b would restart the firewall for whatever reason, the NAT rules
could be lost.
So what should I do with the config in this case? Just remove the -w
switch, or replace it with something else?
Thank you!
Alexander
On 07.04.2016 21:03, Nick Howitt wrote:
> What version of iptables are you running? My version (I can't check at
> the moment) and any el6 derivative does not support the -w switch so
> it needs to be removed from the f2b configs.
>
> Nick
>
> On 2016-04-07 12:50, Alexander R. Gruber wrote:
>> Sorry for replying to myself, but I found a lot of errors in the log
>> that might have to do with the problem at hand:
>>
>> <snip>
>> 2016-04-06 08:53:19,351 fail2ban.filter [3526]: INFO [ssh]
>> Found 146.0.77.xxx
>>
>> 2016-04-06 08:53:19,352 fail2ban.filter [3526]: INFO [sshd]
>> Found 146.0.77.xxx
>>
>> 2016-04-06 08:53:19,577 fail2ban.filter [3526]: INFO [ssh]
>> Found 146.0.77.xxx
>>
>> 2016-04-06 08:53:19,578 fail2ban.filter [3526]: INFO [sshd]
>> Found 146.0.77.xxx
>>
>> 2016-04-06 08:53:21,608 fail2ban.filter [3526]: INFO [sshd]
>> Found 146.0.77.xxx
>>
>> 2016-04-06 08:53:21,609 fail2ban.filter [3526]: INFO [ssh]
>> Found 146.0.77.xxx
>>
>> 2016-04-06 08:53:21,731 fail2ban.actions [3526]: NOTICE [sshd]
>> Ban 146.0.77.xxx
>>
>> 2016-04-06 08:53:21,836 fail2ban.action [3526]: ERROR
>> iptables -w -n -L INPUT | grep -q 'f2b-sshd[ \t]' -- stdout: ''
>>
>> 2016-04-06 08:53:21,836 fail2ban.action [3526]: ERROR
>> iptables -w -n -L INPUT | grep -q 'f2b-sshd[ \t]' -- stderr: ''
>>
>> 2016-04-06 08:53:21,836 fail2ban.action [3526]: ERROR
>> iptables -w -n -L INPUT | grep -q 'f2b-sshd[ \t]' -- returned 1
>>
>> 2016-04-06 08:53:21,836 fail2ban.CommandAction [3526]: ERROR
>> Invariant check failed. Trying to restore a sane environment
>>
>> 2016-04-06 08:53:21,941 fail2ban.action [3526]: ERROR
>> iptables -w -D INPUT -p tcp -m multiport --dports ssh -j f2b-sshd
>>
>> iptables -w -F f2b-sshd
>>
>> iptables -w -X f2b-sshd -- stdout: ''
>>
>> 2016-04-06 08:53:21,941 fail2ban.action [3526]: ERROR
>> iptables -w -D INPUT -p tcp -m multiport --dports ssh -j f2b-sshd
>>
>> iptables -w -F f2b-sshd
>>
>> iptables -w -X f2b-sshd -- stderr: "iptables v1.4.21: Couldn't load
>> target `f2b-sshd':No such file or directory\n\nTry `iptables -h' or
>> 'iptables --help' for more information.\niptables: No
>> chain/target/match by that name.\niptables: No chain/target/match by
>> that
>>
>> name.\n"
>>
>> 2016-04-06 08:53:21,941 fail2ban.action [3526]: ERROR
>> iptables -w -D INPUT -p tcp -m multiport --dports ssh -j f2b-sshd
>>
>> iptables -w -F f2b-sshd
>>
>> iptables -w -X f2b-sshd -- returned 1
>>
>> 2016-04-06 08:53:21,942 fail2ban.actions [3526]: ERROR Failed
>> to execute ban jail 'sshd' action 'iptables-multiport' info
>> 'CallingMap({'ipjailmatches': <function <lambda> at 0x7f3f3dfff938>,
>> 'matches': u'Apr 6 08:53:19 bmn1 sshd[15131]: Invalid user ftpuser
>> from 146.0.77.xxx\nApr 6 08:53:19 bmn1 sshd[15131]:
>> pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
>> tty=ssh ruser= rhost=146.0.77.xxx \nApr 6 08:53:21 bmn1 sshd[15131]:
>> Failed password for invalid user ftpuser from 146.0.77.xxx port 50352
>> ssh2', 'ip': '146.0.77.xxx', 'ipmatches': <function <lambda> at
>> 0x7f3f3dfff848>, 'ipfailures': <function <lambda> at 0x7f3f3dfff7d0>,
>> 'time': 1459925601.7313, 'failures': 3, 'ipjailfailures': <function
>> <lambda> at 0x7f3f3dfff758>})': Error stopping action
>>
>> 2016-04-06 08:53:22,865 fail2ban.filter [3526]: INFO [sshd]
>> Found 146.0.77.xxx
>>
>> 2016-04-06 08:53:22,867 fail2ban.filter [3526]: INFO [ssh]
>> Found 146.0.77.xxx
>>
>> 2016-04-06 08:53:23,424 fail2ban.filter [3526]: INFO [sshd]
>> Found 146.0.77.xxx
>>
>> 2016-04-06 08:53:23,426 fail2ban.filter [3526]: INFO [ssh]
>> Found 146.0.77.xxx
>>
>> 2016-04-06 08:53:25,339 fail2ban.filter [3526]: INFO [ssh]
>> Found 146.0.77.xxx
>>
>> 2016-04-06 08:53:25,340 fail2ban.filter [3526]: INFO [sshd]
>> Found 146.0.77.xxx
>>
>> 2016-04-06 08:53:25,738 fail2ban.actions [3526]: NOTICE [ssh]
>> Ban 146.0.77.xxx
>>
>> 2016-04-06 08:53:25,843 fail2ban.action [3526]: ERROR
>> iptables -w -n -L INPUT | grep -q 'f2b-ssh[ \t]' -- stdout: ''
>>
>> 2016-04-06 08:53:25,843 fail2ban.action [3526]: ERROR
>> iptables -w -n -L INPUT | grep -q 'f2b-ssh[ \t]' -- stderr: ''
>>
>> 2016-04-06 08:53:25,843 fail2ban.action [3526]: ERROR
>> iptables -w -n -L INPUT | grep -q 'f2b-ssh[ \t]' -- returned 1
>>
>> 2016-04-06 08:53:25,843 fail2ban.CommandAction [3526]: ERROR
>> Invariant check failed. Trying to restore a sane environment
>>
>> 2016-04-06 08:53:25,947 fail2ban.actions [3526]: NOTICE [sshd]
>> 146.0.77.xxx already banned
>>
>> 2016-04-06 08:53:25,948 fail2ban.action [3526]: ERROR
>> iptables -w -D INPUT -p tcp -m multiport --dports ssh -j f2b-ssh
>>
>> iptables -w -F f2b-ssh
>>
>> iptables -w -X f2b-ssh -- stdout: ''
>>
>> 2016-04-06 08:53:25,949 fail2ban.action [3526]: ERROR
>> iptables -w -D INPUT -p tcp -m multiport --dports ssh -j f2b-ssh
>>
>> iptables -w -F f2b-ssh
>>
>> iptables -w -X f2b-ssh -- stderr: "iptables v1.4.21: Couldn't load
>> target `f2b-ssh':No such file or directory\n\nTry `iptables -h' or
>> 'iptables --help' for more information.\niptables: No
>> chain/target/match by that name.\niptables: No chain/target/match by
>> that name.\n"
>>
>> 2016-04-06 08:53:25,949 fail2ban.action [3526]: ERROR
>> iptables -w -D INPUT -p tcp -m multiport --dports ssh -j f2b-ssh
>>
>> iptables -w -F f2b-ssh
>>
>> iptables -w -X f2b-ssh -- returned 1
>>
>> 2016-04-06 08:53:25,949 fail2ban.actions [3526]: ERROR Failed
>> to execute ban jail 'ssh' action 'iptables-multiport' info
>> 'CallingMap({'ipjailmatches': <function <lambda> at 0x7f3f3dfff7d0>,
>> 'matches': u'Apr 6 08:53:19 bmn1 sshd[15131]: Invalid user ftpuser
>> from 146.0.77.xxx\nApr 6 08:53:19 bmn1 sshd[15131]:
>> pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
>> tty=ssh ruser= rhost=146.0.77.xxx \nApr 6 08:53:21 bmn1 sshd[15131]:
>> Failed password for invalid user ftpuser from 146.0.77.xxx port 50352
>> ssh2\nApr 6 08:53:22 bmn1 sshd[15140]: Invalid user ftpuser from
>> 146.0.77.xxx\nApr 6 08:53:23 bmn1 sshd[15140]: pam_unix(sshd:auth):
>> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
>> rhost=146.0.77.xxx \nApr 6 08:53:25 bmn1 sshd[15140]: Failed password
>> for invalid user ftpuser from 146.0.77.xxx port 50691 ssh2', 'ip':
>> '146.0.77.xxx', 'ipmatches': <function <lambda> at 0x7f3f3dfff758>,
>> 'ipfailures': <function <lambda> at 0x7f3f3dfff848>, 'time':
>> 1459925605.738062, 'failures': 6, 'ipjailfailures': <function <lambda>
>> at 0x7f3f3dfff938>})': Error stopping action
>>
>> 2016-04-06 08:53:26,498 fail2ban.filter [3526]: INFO [ssh]
>> Found 146.0.77.xxx
>>
>> 2016-04-06 08:53:26,500 fail2ban.filter [3526]: INFO [sshd]
>> Found 146.0.77.xxx
>>
>> 2016-04-06 08:53:26,523 fail2ban.filter [3526]: INFO [ssh]
>> Found 146.0.77.xxx
>>
>> 2016-04-06 08:53:26,525 fail2ban.filter [3526]: INFO [sshd]
>> Found 146.0.77.xxx
>>
>> 2016-04-06 08:53:28,182 fail2ban.filter [3526]: INFO [ssh]
>> Found 146.0.77.xxx
>>
>> 2016-04-06 08:53:28,183 fail2ban.filter [3526]: INFO [sshd]
>> Found 146.0.77.xxx
>>
>> 2016-04-06 08:53:28,950 fail2ban.actions [3526]: NOTICE [sshd]
>> 146.0.77.xxx already banned
>> <snap>
>>
>>
>>
>> On 07.04.2016 20:33, Alexander R. Gruber wrote:
>>> Thank you Steve, for your answer.
>>>
>>> To your questions:
>>>
>>>> How do you have the load balanced rules set? are they persistent in a
>>>> file that is always run from server start up?
>>> -> I have a startup script, that sets the Firewall NAT rules on
>>> every startup of the system in RC4.
>>>
>>> Every few hours f2b reloads the Firewall rules from its database
>>> (according to the log) and when that happens the NAT rules vanish
>>> from my server - leading to a STOP in service, as the loadbalancing
>>> breaks.
>>>
>>> The time this happens is every few hours and always goes hand in
>>> hand with the time in the f2b log where the system does the before
>>> mentioned process of "resetting" and loading stuff from its database.
>>> So I have a strong bias towards f2b being the "culprit" as this is
>>> the only process that fiddles around with the IPtables in the first
>>> instance.
>>>
>>> I also noticed very strange things:
>>>
>>> <snip>
>>> 2016-04-07 13:22:19,849 fail2ban.filter [3526]: INFO
>>> [ssh] Found 183.3.202.xxx
>>> 2016-04-07 13:22:20,294 fail2ban.actions [3526]: NOTICE
>>> [sshd] 183.3.202.200 already banned
>>> 2016-04-07 13:22:21,836 fail2ban.filter [3526]: INFO
>>> [ssh] Found 183.3.202.xxx
>>> 2016-04-07 13:22:21,837 fail2ban.filter [3526]: INFO
>>> [sshd] Found 183.3.202.xxx
>>> 2016-04-07 13:22:28,687 fail2ban.filter [3526]: INFO
>>> [sshd] Found 183.3.202.xxx
>>> 2016-04-07 13:22:28,688 fail2ban.filter [3526]: INFO
>>> [ssh] Found 183.3.202.xxx
>>> 2016-04-07 13:22:30,912 fail2ban.filter [3526]: INFO
>>> [ssh] Found 183.3.202.xxx
>>> 2016-04-07 13:22:30,913 fail2ban.filter [3526]: INFO
>>> [sshd] Found 183.3.202.xxx
>>> 2016-04-07 13:22:31,306 fail2ban.actions [3526]: NOTICE
>>> [sshd] 183.3.202.xxx already banned
>>> 2016-04-07 13:22:31,857 fail2ban.actions [3526]: NOTICE
>>> [ssh] 183.3.202.xxx already banned
>>> 2016-04-07 13:22:42,443 fail2ban.filter [3526]: INFO
>>> [sshd] Found 183.3.202.xxx
>>> 2016-04-07 13:22:42,445 fail2ban.filter [3526]: INFO
>>> [ssh] Found 183.3.202.xxx
>>> 2016-04-07 13:22:44,260 fail2ban.filter [3526]: INFO
>>> [sshd] Found 183.3.202.xxx
>>> 2016-04-07 13:22:44,260 fail2ban.filter [3526]: INFO
>>> [ssh] Found 183.3.202.xxx
>>> 2016-04-07 13:22:50,860 fail2ban.filter [3526]: INFO
>>> [sshd] Found 183.3.202.xxx
>>> 2016-04-07 13:22:50,861 fail2ban.filter [3526]: INFO
>>> [ssh] Found 183.3.202.xxx
>>> 2016-04-07 13:22:51,329 fail2ban.actions [3526]: NOTICE
>>> [sshd] 183.3.202.xxx already banned
>>> 2016-04-07 13:22:53,105 fail2ban.filter [3526]: INFO
>>> [sshd] Found 183.3.202.xxx
>>> 2016-04-07 13:22:53,106 fail2ban.filter [3526]: INFO
>>> [ssh] Found 183.3.202.xxx
>>> 2016-04-07 13:23:00,356 fail2ban.filter [3526]: INFO
>>> [ssh] Found 183.3.202.xxx
>>> 2016-04-07 13:23:00,358 fail2ban.filter [3526]: INFO
>>> [sshd] Found 183.3.202.xxx
>>> 2016-04-07 13:23:01,974 fail2ban.filter [3526]: INFO
>>> [ssh] Found 183.3.202.xxx
>>> 2016-04-07 13:23:01,975 fail2ban.filter [3526]: INFO
>>> [sshd] Found 183.3.202.xxx
>>> 2016-04-07 13:23:02,342 fail2ban.actions [3526]: NOTICE
>>> [sshd] 183.3.202.xxx already banned
>>> 2016-04-07 13:23:02,893 fail2ban.actions [3526]: NOTICE
>>> [ssh] 183.3.202.xxx already banned
>>> root@xxx:~# iptables -L
>>> Chain INPUT (policy ACCEPT)
>>> target prot opt source destination
>>>
>>> Chain FORWARD (policy ACCEPT)
>>> target prot opt source destination
>>>
>>> Chain OUTPUT (policy ACCEPT)
>>> target prot opt source destination
>>> root@bmn1:~# sudo iptables -L
>>> Chain INPUT (policy ACCEPT)
>>> target prot opt source destination
>>>
>>> Chain FORWARD (policy ACCEPT)
>>> target prot opt source destination
>>>
>>> Chain OUTPUT (policy ACCEPT)
>>> target prot opt source destination
>>>
>>> The chain rules seem to be empty ...
>>>
>>> root@xxx:~# service fail2ban restart
>>> * Restarting authentication failure monitor fail2ban
>>> root@xxx:~# iptables -n -L
>>> Chain INPUT (policy ACCEPT)
>>> target prot opt source destination
>>> f2b-hn-apache-retry-ban tcp -- 0.0.0.0/0 0.0.0.0/0
>>> multiport dports 80,443
>>> f2b-apache tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports
>>> 80,443
>>> f2b-ssh tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22
>>> f2b-php-url-fopen tcp -- 0.0.0.0/0 0.0.0.0/0 multiport
>>> dports 80,443
>>> f2b-apache-nohome tcp -- 0.0.0.0/0 0.0.0.0/0 multiport
>>> dports 80,443
>>> f2b-apache-overflows tcp -- 0.0.0.0/0 0.0.0.0/0
>>> multiport dports 80,443
>>> f2b-apache-badbots tcp -- 0.0.0.0/0 0.0.0.0/0
>>> multiport dports 80,443
>>> f2b-sshd tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22
>>>
>>> Chain FORWARD (policy ACCEPT)
>>> target prot opt source destination
>>>
>>> Chain OUTPUT (policy ACCEPT)
>>> target prot opt source destination
>>>
>>> Chain f2b-apache (1 references)
>>> target prot opt source destination
>>> RETURN all -- 0.0.0.0/0 0.0.0.0/0
>>>
>>> Chain f2b-apache-badbots (1 references)
>>> target prot opt source destination
>>> RETURN all -- 0.0.0.0/0 0.0.0.0/0
>>>
>>> Chain f2b-apache-nohome (1 references)
>>> target prot opt source destination
>>> RETURN all -- 0.0.0.0/0 0.0.0.0/0
>>>
>>> Chain f2b-apache-overflows (1 references)
>>> target prot opt source destination
>>> RETURN all -- 0.0.0.0/0 0.0.0.0/0
>>>
>>> Chain f2b-hn-apache-retry-ban (1 references)
>>> target prot opt source destination
>>> RETURN all -- 0.0.0.0/0 0.0.0.0/0
>>>
>>> Chain f2b-php-url-fopen (1 references)
>>> target prot opt source destination
>>> RETURN all -- 0.0.0.0/0 0.0.0.0/0
>>>
>>> Chain f2b-ssh (1 references)
>>> target prot opt source destination
>>> REJECT all -- 221.229.162.xxx 0.0.0.0/0 reject-with
>>> icmp-port-unreachable
>>> REJECT all -- 183.3.202.xxx 0.0.0.0/0 reject-with
>>> icmp-port-unreachable
>>> REJECT all -- 111.13.70.xxx 0.0.0.0/0 reject-with
>>> icmp-port-unreachable
>>> RETURN all -- 0.0.0.0/0 0.0.0.0/0
>>>
>>> Chain f2b-sshd (1 references)
>>> target prot opt source destination
>>> REJECT all -- 221.229.162.xxx 0.0.0.0/0 reject-with
>>> icmp-port-unreachable
>>> REJECT all -- 186.228.90.xxx 0.0.0.0/0 reject-with
>>> icmp-port-unreachable
>>> REJECT all -- 183.3.202.xxx 0.0.0.0/0 reject-with
>>> icmp-port-unreachable
>>> REJECT all -- 14.139.46.xxx 0.0.0.0/0 reject-with
>>> icmp-port-unreachable
>>> REJECT all -- 111.13.70.xxx 0.0.0.0/0 reject-with
>>> icmp-port-unreachable
>>> RETURN all -- 0.0.0.0/0 0.0.0.0/0
>>>
>>> After an explicit restart, the system seems to be up and running
>>> again ...
>>>
>>> I feel a bit at loss here ...
>>>
>>> Thanks for any hints!
>>> Alexander
>>>
>>>> By design, f2b (when restarting) unblocks all blocked IP addresses
>>>> within its own DB, it then removes the f2b chains from iptables. It
>>>> then
>>>> starts up creating the chains and re-adds the IP's that are within the
>>>> selected time scale of bans.
>>>>
>>>> It does not remove anything other than its own chains in IPtables.
>>>>
>>>> How do you have the load balanced rules set? are they persistent in a
>>>> file that is always run from server start up?
>>>>
>>>> I have a reset firewall script that once f2b is shutdown, i run and it
>>>> reloads my own pre-set rules on iptables, then i fire up f2b, i've
>>>> never
>>>> had it remove rules, or chains that are not starting "f2b-chainname"
>>>> (i.e f2b-php-url-open) etc.
>>>>
>>>> if you do a iptables -n -L do your f2b chains all start with chain
>>>> f2b- ?
>>>> if the f2b chains are missing and all your rules are not starting as
>>>> above, i suppose there is a chance it could remove rules it never
>>>> created, although i would doubt that.
>>>>
>>>> I hope this helps a little.
>>>>
>>>> Steve
>>>
>>> ---
>>> Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft.
>>> https://www.avast.com/antivirus
>>>
>>>
>>> ------------------------------------------------------------------------------
>>>
>>>
>>> _______________________________________________
>>> Fail2ban-users mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>>
>>
>>
>> ---
>> Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft.
>> https://www.avast.com/antivirus
>>
>>
>> ------------------------------------------------------------------------------
>>
>>
>> _______________________________________________
>> Fail2ban-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
---
Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft.
https://www.avast.com/antivirus
------------------------------------------------------------------------------
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
