I seem to think your version of iptables may support the -w switch. Try
a full command. If it does not, I can't remember where in the f2b
actions to make the change. It is one of the default settings. I may be
able to find out when I get home.
For firewall restarting, all sorts of things could cause it, WAN IP
glitches or changes and so on. I run ClearOS which deviates a bit from
EL and CentOS and they have a structure so than any rules in
/etc/clearos/firewall.d/local execute on firewall restart (as do a whole
bunch of others from a couple of files which contain the basic rules and
the rules applied through their webconfig), but this is ClearOS
specific. I've no idea for your distro.
Nick
On 2016-04-07 13:08, Alexander R. Gruber wrote:
> Hallo Nick!
>
> # iptables -V
> iptables v1.4.21
> # iptables -w
> iptables v1.4.21: no command specified
> Try `iptables -h' or 'iptables --help' for more information.
>
> What you said before - that the firewall rules need to be loaded at
> every start/restart of the firewall itself, not only on system start
> absolutely makes sense!
> So IF f2b would restart the firewall for whatever reason, the NAT
> rules could be lost.
>
> So what should I do with the config in this case? Just remove the -w
> switch, or replace it with something else?
>
> Thank you!
> Alexander
>
> On 07.04.2016 21:03, Nick Howitt wrote:
>> What version of iptables are you running? My version (I can't check at
>> the moment) and any el6 derivative does not support the -w switch so
>> it needs to be removed from the f2b configs.
>>
>> Nick
>>
>> On 2016-04-07 12:50, Alexander R. Gruber wrote:
>>> Sorry for replying to myself, but I found a lot of errors in the log
>>> that might have to do with the problem at hand:
>>>
>>> <snip>
>>> 2016-04-06 08:53:19,351 fail2ban.filter [3526]: INFO [ssh]
>>> Found 146.0.77.xxx
>>>
>>> 2016-04-06 08:53:19,352 fail2ban.filter [3526]: INFO [sshd]
>>> Found 146.0.77.xxx
>>>
>>> 2016-04-06 08:53:19,577 fail2ban.filter [3526]: INFO [ssh]
>>> Found 146.0.77.xxx
>>>
>>> 2016-04-06 08:53:19,578 fail2ban.filter [3526]: INFO [sshd]
>>> Found 146.0.77.xxx
>>>
>>> 2016-04-06 08:53:21,608 fail2ban.filter [3526]: INFO [sshd]
>>> Found 146.0.77.xxx
>>>
>>> 2016-04-06 08:53:21,609 fail2ban.filter [3526]: INFO [ssh]
>>> Found 146.0.77.xxx
>>>
>>> 2016-04-06 08:53:21,731 fail2ban.actions [3526]: NOTICE [sshd]
>>> Ban 146.0.77.xxx
>>>
>>> 2016-04-06 08:53:21,836 fail2ban.action [3526]: ERROR
>>> iptables -w -n -L INPUT | grep -q 'f2b-sshd[ \t]' -- stdout: ''
>>>
>>> 2016-04-06 08:53:21,836 fail2ban.action [3526]: ERROR
>>> iptables -w -n -L INPUT | grep -q 'f2b-sshd[ \t]' -- stderr: ''
>>>
>>> 2016-04-06 08:53:21,836 fail2ban.action [3526]: ERROR
>>> iptables -w -n -L INPUT | grep -q 'f2b-sshd[ \t]' -- returned 1
>>>
>>> 2016-04-06 08:53:21,836 fail2ban.CommandAction [3526]: ERROR
>>> Invariant check failed. Trying to restore a sane environment
>>>
>>> 2016-04-06 08:53:21,941 fail2ban.action [3526]: ERROR
>>> iptables -w -D INPUT -p tcp -m multiport --dports ssh -j f2b-sshd
>>>
>>> iptables -w -F f2b-sshd
>>>
>>> iptables -w -X f2b-sshd -- stdout: ''
>>>
>>> 2016-04-06 08:53:21,941 fail2ban.action [3526]: ERROR
>>> iptables -w -D INPUT -p tcp -m multiport --dports ssh -j f2b-sshd
>>>
>>> iptables -w -F f2b-sshd
>>>
>>> iptables -w -X f2b-sshd -- stderr: "iptables v1.4.21: Couldn't load
>>> target `f2b-sshd':No such file or directory\n\nTry `iptables -h' or
>>> 'iptables --help' for more information.\niptables: No
>>> chain/target/match by that name.\niptables: No chain/target/match by
>>> that
>>>
>>> name.\n"
>>>
>>> 2016-04-06 08:53:21,941 fail2ban.action [3526]: ERROR
>>> iptables -w -D INPUT -p tcp -m multiport --dports ssh -j f2b-sshd
>>>
>>> iptables -w -F f2b-sshd
>>>
>>> iptables -w -X f2b-sshd -- returned 1
>>>
>>> 2016-04-06 08:53:21,942 fail2ban.actions [3526]: ERROR Failed
>>> to execute ban jail 'sshd' action 'iptables-multiport' info
>>> 'CallingMap({'ipjailmatches': <function <lambda> at 0x7f3f3dfff938>,
>>> 'matches': u'Apr 6 08:53:19 bmn1 sshd[15131]: Invalid user ftpuser
>>> from 146.0.77.xxx\nApr 6 08:53:19 bmn1 sshd[15131]:
>>> pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
>>> tty=ssh ruser= rhost=146.0.77.xxx \nApr 6 08:53:21 bmn1 sshd[15131]:
>>> Failed password for invalid user ftpuser from 146.0.77.xxx port 50352
>>> ssh2', 'ip': '146.0.77.xxx', 'ipmatches': <function <lambda> at
>>> 0x7f3f3dfff848>, 'ipfailures': <function <lambda> at 0x7f3f3dfff7d0>,
>>> 'time': 1459925601.7313, 'failures': 3, 'ipjailfailures': <function
>>> <lambda> at 0x7f3f3dfff758>})': Error stopping action
>>>
>>> 2016-04-06 08:53:22,865 fail2ban.filter [3526]: INFO [sshd]
>>> Found 146.0.77.xxx
>>>
>>> 2016-04-06 08:53:22,867 fail2ban.filter [3526]: INFO [ssh]
>>> Found 146.0.77.xxx
>>>
>>> 2016-04-06 08:53:23,424 fail2ban.filter [3526]: INFO [sshd]
>>> Found 146.0.77.xxx
>>>
>>> 2016-04-06 08:53:23,426 fail2ban.filter [3526]: INFO [ssh]
>>> Found 146.0.77.xxx
>>>
>>> 2016-04-06 08:53:25,339 fail2ban.filter [3526]: INFO [ssh]
>>> Found 146.0.77.xxx
>>>
>>> 2016-04-06 08:53:25,340 fail2ban.filter [3526]: INFO [sshd]
>>> Found 146.0.77.xxx
>>>
>>> 2016-04-06 08:53:25,738 fail2ban.actions [3526]: NOTICE [ssh]
>>> Ban 146.0.77.xxx
>>>
>>> 2016-04-06 08:53:25,843 fail2ban.action [3526]: ERROR
>>> iptables -w -n -L INPUT | grep -q 'f2b-ssh[ \t]' -- stdout: ''
>>>
>>> 2016-04-06 08:53:25,843 fail2ban.action [3526]: ERROR
>>> iptables -w -n -L INPUT | grep -q 'f2b-ssh[ \t]' -- stderr: ''
>>>
>>> 2016-04-06 08:53:25,843 fail2ban.action [3526]: ERROR
>>> iptables -w -n -L INPUT | grep -q 'f2b-ssh[ \t]' -- returned 1
>>>
>>> 2016-04-06 08:53:25,843 fail2ban.CommandAction [3526]: ERROR
>>> Invariant check failed. Trying to restore a sane environment
>>>
>>> 2016-04-06 08:53:25,947 fail2ban.actions [3526]: NOTICE [sshd]
>>> 146.0.77.xxx already banned
>>>
>>> 2016-04-06 08:53:25,948 fail2ban.action [3526]: ERROR
>>> iptables -w -D INPUT -p tcp -m multiport --dports ssh -j f2b-ssh
>>>
>>> iptables -w -F f2b-ssh
>>>
>>> iptables -w -X f2b-ssh -- stdout: ''
>>>
>>> 2016-04-06 08:53:25,949 fail2ban.action [3526]: ERROR
>>> iptables -w -D INPUT -p tcp -m multiport --dports ssh -j f2b-ssh
>>>
>>> iptables -w -F f2b-ssh
>>>
>>> iptables -w -X f2b-ssh -- stderr: "iptables v1.4.21: Couldn't load
>>> target `f2b-ssh':No such file or directory\n\nTry `iptables -h' or
>>> 'iptables --help' for more information.\niptables: No
>>> chain/target/match by that name.\niptables: No chain/target/match by
>>> that name.\n"
>>>
>>> 2016-04-06 08:53:25,949 fail2ban.action [3526]: ERROR
>>> iptables -w -D INPUT -p tcp -m multiport --dports ssh -j f2b-ssh
>>>
>>> iptables -w -F f2b-ssh
>>>
>>> iptables -w -X f2b-ssh -- returned 1
>>>
>>> 2016-04-06 08:53:25,949 fail2ban.actions [3526]: ERROR Failed
>>> to execute ban jail 'ssh' action 'iptables-multiport' info
>>> 'CallingMap({'ipjailmatches': <function <lambda> at 0x7f3f3dfff7d0>,
>>> 'matches': u'Apr 6 08:53:19 bmn1 sshd[15131]: Invalid user ftpuser
>>> from 146.0.77.xxx\nApr 6 08:53:19 bmn1 sshd[15131]:
>>> pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
>>> tty=ssh ruser= rhost=146.0.77.xxx \nApr 6 08:53:21 bmn1 sshd[15131]:
>>> Failed password for invalid user ftpuser from 146.0.77.xxx port 50352
>>> ssh2\nApr 6 08:53:22 bmn1 sshd[15140]: Invalid user ftpuser from
>>> 146.0.77.xxx\nApr 6 08:53:23 bmn1 sshd[15140]: pam_unix(sshd:auth):
>>> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
>>> rhost=146.0.77.xxx \nApr 6 08:53:25 bmn1 sshd[15140]: Failed
>>> password
>>> for invalid user ftpuser from 146.0.77.xxx port 50691 ssh2', 'ip':
>>> '146.0.77.xxx', 'ipmatches': <function <lambda> at 0x7f3f3dfff758>,
>>> 'ipfailures': <function <lambda> at 0x7f3f3dfff848>, 'time':
>>> 1459925605.738062, 'failures': 6, 'ipjailfailures': <function
>>> <lambda>
>>> at 0x7f3f3dfff938>})': Error stopping action
>>>
>>> 2016-04-06 08:53:26,498 fail2ban.filter [3526]: INFO [ssh]
>>> Found 146.0.77.xxx
>>>
>>> 2016-04-06 08:53:26,500 fail2ban.filter [3526]: INFO [sshd]
>>> Found 146.0.77.xxx
>>>
>>> 2016-04-06 08:53:26,523 fail2ban.filter [3526]: INFO [ssh]
>>> Found 146.0.77.xxx
>>>
>>> 2016-04-06 08:53:26,525 fail2ban.filter [3526]: INFO [sshd]
>>> Found 146.0.77.xxx
>>>
>>> 2016-04-06 08:53:28,182 fail2ban.filter [3526]: INFO [ssh]
>>> Found 146.0.77.xxx
>>>
>>> 2016-04-06 08:53:28,183 fail2ban.filter [3526]: INFO [sshd]
>>> Found 146.0.77.xxx
>>>
>>> 2016-04-06 08:53:28,950 fail2ban.actions [3526]: NOTICE [sshd]
>>> 146.0.77.xxx already banned
>>> <snap>
>>>
>>>
>>>
>>> On 07.04.2016 20:33, Alexander R. Gruber wrote:
>>>> Thank you Steve, for your answer.
>>>>
>>>> To your questions:
>>>>
>>>>> How do you have the load balanced rules set? are they persistent in
>>>>> a
>>>>> file that is always run from server start up?
>>>> -> I have a startup script, that sets the Firewall NAT rules on
>>>> every startup of the system in RC4.
>>>>
>>>> Every few hours f2b reloads the Firewall rules from its database
>>>> (according to the log) and when that happens the NAT rules vanish
>>>> from my server - leading to a STOP in service, as the loadbalancing
>>>> breaks.
>>>>
>>>> The time this happens is every few hours and always goes hand in
>>>> hand with the time in the f2b log where the system does the before
>>>> mentioned process of "resetting" and loading stuff from its
>>>> database.
>>>> So I have a strong bias towards f2b being the "culprit" as this is
>>>> the only process that fiddles around with the IPtables in the first
>>>> instance.
>>>>
>>>> I also noticed very strange things:
>>>>
>>>> <snip>
>>>> 2016-04-07 13:22:19,849 fail2ban.filter [3526]: INFO
>>>> [ssh] Found 183.3.202.xxx
>>>> 2016-04-07 13:22:20,294 fail2ban.actions [3526]: NOTICE
>>>> [sshd] 183.3.202.200 already banned
>>>> 2016-04-07 13:22:21,836 fail2ban.filter [3526]: INFO
>>>> [ssh] Found 183.3.202.xxx
>>>> 2016-04-07 13:22:21,837 fail2ban.filter [3526]: INFO
>>>> [sshd] Found 183.3.202.xxx
>>>> 2016-04-07 13:22:28,687 fail2ban.filter [3526]: INFO
>>>> [sshd] Found 183.3.202.xxx
>>>> 2016-04-07 13:22:28,688 fail2ban.filter [3526]: INFO
>>>> [ssh] Found 183.3.202.xxx
>>>> 2016-04-07 13:22:30,912 fail2ban.filter [3526]: INFO
>>>> [ssh] Found 183.3.202.xxx
>>>> 2016-04-07 13:22:30,913 fail2ban.filter [3526]: INFO
>>>> [sshd] Found 183.3.202.xxx
>>>> 2016-04-07 13:22:31,306 fail2ban.actions [3526]: NOTICE
>>>> [sshd] 183.3.202.xxx already banned
>>>> 2016-04-07 13:22:31,857 fail2ban.actions [3526]: NOTICE
>>>> [ssh] 183.3.202.xxx already banned
>>>> 2016-04-07 13:22:42,443 fail2ban.filter [3526]: INFO
>>>> [sshd] Found 183.3.202.xxx
>>>> 2016-04-07 13:22:42,445 fail2ban.filter [3526]: INFO
>>>> [ssh] Found 183.3.202.xxx
>>>> 2016-04-07 13:22:44,260 fail2ban.filter [3526]: INFO
>>>> [sshd] Found 183.3.202.xxx
>>>> 2016-04-07 13:22:44,260 fail2ban.filter [3526]: INFO
>>>> [ssh] Found 183.3.202.xxx
>>>> 2016-04-07 13:22:50,860 fail2ban.filter [3526]: INFO
>>>> [sshd] Found 183.3.202.xxx
>>>> 2016-04-07 13:22:50,861 fail2ban.filter [3526]: INFO
>>>> [ssh] Found 183.3.202.xxx
>>>> 2016-04-07 13:22:51,329 fail2ban.actions [3526]: NOTICE
>>>> [sshd] 183.3.202.xxx already banned
>>>> 2016-04-07 13:22:53,105 fail2ban.filter [3526]: INFO
>>>> [sshd] Found 183.3.202.xxx
>>>> 2016-04-07 13:22:53,106 fail2ban.filter [3526]: INFO
>>>> [ssh] Found 183.3.202.xxx
>>>> 2016-04-07 13:23:00,356 fail2ban.filter [3526]: INFO
>>>> [ssh] Found 183.3.202.xxx
>>>> 2016-04-07 13:23:00,358 fail2ban.filter [3526]: INFO
>>>> [sshd] Found 183.3.202.xxx
>>>> 2016-04-07 13:23:01,974 fail2ban.filter [3526]: INFO
>>>> [ssh] Found 183.3.202.xxx
>>>> 2016-04-07 13:23:01,975 fail2ban.filter [3526]: INFO
>>>> [sshd] Found 183.3.202.xxx
>>>> 2016-04-07 13:23:02,342 fail2ban.actions [3526]: NOTICE
>>>> [sshd] 183.3.202.xxx already banned
>>>> 2016-04-07 13:23:02,893 fail2ban.actions [3526]: NOTICE
>>>> [ssh] 183.3.202.xxx already banned
>>>> root@xxx:~# iptables -L
>>>> Chain INPUT (policy ACCEPT)
>>>> target prot opt source destination
>>>>
>>>> Chain FORWARD (policy ACCEPT)
>>>> target prot opt source destination
>>>>
>>>> Chain OUTPUT (policy ACCEPT)
>>>> target prot opt source destination
>>>> root@bmn1:~# sudo iptables -L
>>>> Chain INPUT (policy ACCEPT)
>>>> target prot opt source destination
>>>>
>>>> Chain FORWARD (policy ACCEPT)
>>>> target prot opt source destination
>>>>
>>>> Chain OUTPUT (policy ACCEPT)
>>>> target prot opt source destination
>>>>
>>>> The chain rules seem to be empty ...
>>>>
>>>> root@xxx:~# service fail2ban restart
>>>> * Restarting authentication failure monitor fail2ban
>>>> root@xxx:~# iptables -n -L
>>>> Chain INPUT (policy ACCEPT)
>>>> target prot opt source destination
>>>> f2b-hn-apache-retry-ban tcp -- 0.0.0.0/0 0.0.0.0/0
>>>> multiport dports 80,443
>>>> f2b-apache tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports
>>>> 80,443
>>>> f2b-ssh tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports
>>>> 22
>>>> f2b-php-url-fopen tcp -- 0.0.0.0/0 0.0.0.0/0 multiport
>>>> dports 80,443
>>>> f2b-apache-nohome tcp -- 0.0.0.0/0 0.0.0.0/0 multiport
>>>> dports 80,443
>>>> f2b-apache-overflows tcp -- 0.0.0.0/0 0.0.0.0/0
>>>> multiport dports 80,443
>>>> f2b-apache-badbots tcp -- 0.0.0.0/0 0.0.0.0/0
>>>> multiport dports 80,443
>>>> f2b-sshd tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports
>>>> 22
>>>>
>>>> Chain FORWARD (policy ACCEPT)
>>>> target prot opt source destination
>>>>
>>>> Chain OUTPUT (policy ACCEPT)
>>>> target prot opt source destination
>>>>
>>>> Chain f2b-apache (1 references)
>>>> target prot opt source destination
>>>> RETURN all -- 0.0.0.0/0 0.0.0.0/0
>>>>
>>>> Chain f2b-apache-badbots (1 references)
>>>> target prot opt source destination
>>>> RETURN all -- 0.0.0.0/0 0.0.0.0/0
>>>>
>>>> Chain f2b-apache-nohome (1 references)
>>>> target prot opt source destination
>>>> RETURN all -- 0.0.0.0/0 0.0.0.0/0
>>>>
>>>> Chain f2b-apache-overflows (1 references)
>>>> target prot opt source destination
>>>> RETURN all -- 0.0.0.0/0 0.0.0.0/0
>>>>
>>>> Chain f2b-hn-apache-retry-ban (1 references)
>>>> target prot opt source destination
>>>> RETURN all -- 0.0.0.0/0 0.0.0.0/0
>>>>
>>>> Chain f2b-php-url-fopen (1 references)
>>>> target prot opt source destination
>>>> RETURN all -- 0.0.0.0/0 0.0.0.0/0
>>>>
>>>> Chain f2b-ssh (1 references)
>>>> target prot opt source destination
>>>> REJECT all -- 221.229.162.xxx 0.0.0.0/0 reject-with
>>>> icmp-port-unreachable
>>>> REJECT all -- 183.3.202.xxx 0.0.0.0/0 reject-with
>>>> icmp-port-unreachable
>>>> REJECT all -- 111.13.70.xxx 0.0.0.0/0 reject-with
>>>> icmp-port-unreachable
>>>> RETURN all -- 0.0.0.0/0 0.0.0.0/0
>>>>
>>>> Chain f2b-sshd (1 references)
>>>> target prot opt source destination
>>>> REJECT all -- 221.229.162.xxx 0.0.0.0/0 reject-with
>>>> icmp-port-unreachable
>>>> REJECT all -- 186.228.90.xxx 0.0.0.0/0 reject-with
>>>> icmp-port-unreachable
>>>> REJECT all -- 183.3.202.xxx 0.0.0.0/0 reject-with
>>>> icmp-port-unreachable
>>>> REJECT all -- 14.139.46.xxx 0.0.0.0/0 reject-with
>>>> icmp-port-unreachable
>>>> REJECT all -- 111.13.70.xxx 0.0.0.0/0 reject-with
>>>> icmp-port-unreachable
>>>> RETURN all -- 0.0.0.0/0 0.0.0.0/0
>>>>
>>>> After an explicit restart, the system seems to be up and running
>>>> again ...
>>>>
>>>> I feel a bit at loss here ...
>>>>
>>>> Thanks for any hints!
>>>> Alexander
>>>>
>>>>> By design, f2b (when restarting) unblocks all blocked IP addresses
>>>>> within its own DB, it then removes the f2b chains from iptables. It
>>>>> then
>>>>> starts up creating the chains and re-adds the IP's that are within
>>>>> the
>>>>> selected time scale of bans.
>>>>>
>>>>> It does not remove anything other than its own chains in IPtables.
>>>>>
>>>>> How do you have the load balanced rules set? are they persistent in
>>>>> a
>>>>> file that is always run from server start up?
>>>>>
>>>>> I have a reset firewall script that once f2b is shutdown, i run and
>>>>> it
>>>>> reloads my own pre-set rules on iptables, then i fire up f2b, i've
>>>>> never
>>>>> had it remove rules, or chains that are not starting
>>>>> "f2b-chainname"
>>>>> (i.e f2b-php-url-open) etc.
>>>>>
>>>>> if you do a iptables -n -L do your f2b chains all start with chain
>>>>> f2b- ?
>>>>> if the f2b chains are missing and all your rules are not starting
>>>>> as
>>>>> above, i suppose there is a chance it could remove rules it never
>>>>> created, although i would doubt that.
>>>>>
>>>>> I hope this helps a little.
>>>>>
>>>>> Steve
>>>>
>>>> ---
>>>> Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft.
>>>> https://www.avast.com/antivirus
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>>
>>>> _______________________________________________
>>>> Fail2ban-users mailing list
>>>> [email protected]
>>>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>>>
>>>
>>>
>>> ---
>>> Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft.
>>> https://www.avast.com/antivirus
>>>
>>>
>>> ------------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> Fail2ban-users mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
>
> ---
> Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft.
> https://www.avast.com/antivirus
------------------------------------------------------------------------------
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
