As far as I know, fail2ban never "reloads" the firewall rules. fail2ban just
manages its chains. Perhaps there's something
in the "load-balancer" doing this.
You should list your action rules and jail.
-> I have a startup script, that sets the Firewall NAT rules on every startup
of the system in RC4.
iptables defaults to -t filter which is what your including here. You should be using -t nat if you think it's changing the NAT
rules.
Bill
On 4/7/2016 7:33 AM, Alexander R. Gruber wrote:
Thank you Steve, for your answer.
To your questions:
How do you have the load balanced rules set? are they persistent in a
file that is always run from server start up?
-> I have a startup script, that sets the Firewall NAT rules on every startup
of the system in RC4.
Every few hours f2b reloads the Firewall rules from its database (according to
the log) and when that happens the NAT rules vanish from my server - leading to
a STOP in service, as the loadbalancing breaks.
The time this happens is every few hours and always goes hand in hand with the time in
the f2b log where the system does the before mentioned process of "resetting"
and loading stuff from its database.
So I have a strong bias towards f2b being the "culprit" as this is the only
process that fiddles around with the IPtables in the first instance.
I also noticed very strange things:
<snip>
2016-04-07 13:22:19,849 fail2ban.filter [3526]: INFO [ssh] Found
183.3.202.xxx
2016-04-07 13:22:20,294 fail2ban.actions [3526]: NOTICE [sshd]
183.3.202.200 already banned
2016-04-07 13:22:21,836 fail2ban.filter [3526]: INFO [ssh] Found
183.3.202.xxx
2016-04-07 13:22:21,837 fail2ban.filter [3526]: INFO [sshd] Found
183.3.202.xxx
2016-04-07 13:22:28,687 fail2ban.filter [3526]: INFO [sshd] Found
183.3.202.xxx
2016-04-07 13:22:28,688 fail2ban.filter [3526]: INFO [ssh] Found
183.3.202.xxx
2016-04-07 13:22:30,912 fail2ban.filter [3526]: INFO [ssh] Found
183.3.202.xxx
2016-04-07 13:22:30,913 fail2ban.filter [3526]: INFO [sshd] Found
183.3.202.xxx
2016-04-07 13:22:31,306 fail2ban.actions [3526]: NOTICE [sshd]
183.3.202.xxx already banned
2016-04-07 13:22:31,857 fail2ban.actions [3526]: NOTICE [ssh]
183.3.202.xxx already banned
2016-04-07 13:22:42,443 fail2ban.filter [3526]: INFO [sshd] Found
183.3.202.xxx
2016-04-07 13:22:42,445 fail2ban.filter [3526]: INFO [ssh] Found
183.3.202.xxx
2016-04-07 13:22:44,260 fail2ban.filter [3526]: INFO [sshd] Found
183.3.202.xxx
2016-04-07 13:22:44,260 fail2ban.filter [3526]: INFO [ssh] Found
183.3.202.xxx
2016-04-07 13:22:50,860 fail2ban.filter [3526]: INFO [sshd] Found
183.3.202.xxx
2016-04-07 13:22:50,861 fail2ban.filter [3526]: INFO [ssh] Found
183.3.202.xxx
2016-04-07 13:22:51,329 fail2ban.actions [3526]: NOTICE [sshd]
183.3.202.xxx already banned
2016-04-07 13:22:53,105 fail2ban.filter [3526]: INFO [sshd] Found
183.3.202.xxx
2016-04-07 13:22:53,106 fail2ban.filter [3526]: INFO [ssh] Found
183.3.202.xxx
2016-04-07 13:23:00,356 fail2ban.filter [3526]: INFO [ssh] Found
183.3.202.xxx
2016-04-07 13:23:00,358 fail2ban.filter [3526]: INFO [sshd] Found
183.3.202.xxx
2016-04-07 13:23:01,974 fail2ban.filter [3526]: INFO [ssh] Found
183.3.202.xxx
2016-04-07 13:23:01,975 fail2ban.filter [3526]: INFO [sshd] Found
183.3.202.xxx
2016-04-07 13:23:02,342 fail2ban.actions [3526]: NOTICE [sshd]
183.3.202.xxx already banned
2016-04-07 13:23:02,893 fail2ban.actions [3526]: NOTICE [ssh]
183.3.202.xxx already banned
root@xxx:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root@bmn1:~# sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
The chain rules seem to be empty ...
root@xxx:~# service fail2ban restart
* Restarting authentication failure monitor fail2ban
root@xxx:~# iptables -n -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-hn-apache-retry-ban tcp -- 0.0.0.0/0 0.0.0.0/0
multiport dports 80,443
f2b-apache tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports
80,443
f2b-ssh tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports
22
f2b-php-url-fopen tcp -- 0.0.0.0/0 0.0.0.0/0 multiport
dports 80,443
f2b-apache-nohome tcp -- 0.0.0.0/0 0.0.0.0/0 multiport
dports 80,443
f2b-apache-overflows tcp -- 0.0.0.0/0 0.0.0.0/0
multiport dports 80,443
f2b-apache-badbots tcp -- 0.0.0.0/0 0.0.0.0/0
multiport dports 80,443
f2b-sshd tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports
22
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain f2b-apache (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain f2b-apache-badbots (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain f2b-apache-nohome (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain f2b-apache-overflows (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain f2b-hn-apache-retry-ban (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain f2b-php-url-fopen (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain f2b-ssh (1 references)
target prot opt source destination
REJECT all -- 221.229.162.xxx 0.0.0.0/0 reject-with
icmp-port-unreachable
REJECT all -- 183.3.202.xxx 0.0.0.0/0 reject-with
icmp-port-unreachable
REJECT all -- 111.13.70.xxx 0.0.0.0/0 reject-with
icmp-port-unreachable
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain f2b-sshd (1 references)
target prot opt source destination
REJECT all -- 221.229.162.xxx 0.0.0.0/0 reject-with
icmp-port-unreachable
REJECT all -- 186.228.90.xxx 0.0.0.0/0 reject-with
icmp-port-unreachable
REJECT all -- 183.3.202.xxx 0.0.0.0/0 reject-with
icmp-port-unreachable
REJECT all -- 14.139.46.xxx 0.0.0.0/0 reject-with
icmp-port-unreachable
REJECT all -- 111.13.70.xxx 0.0.0.0/0 reject-with
icmp-port-unreachable
RETURN all -- 0.0.0.0/0 0.0.0.0/0
After an explicit restart, the system seems to be up and running again ...
I feel a bit at loss here ...
Thanks for any hints!
Alexander
By design, f2b (when restarting) unblocks all blocked IP addresses
within its own DB, it then removes the f2b chains from iptables. It then
starts up creating the chains and re-adds the IP's that are within the
selected time scale of bans.
It does not remove anything other than its own chains in IPtables.
How do you have the load balanced rules set? are they persistent in a
file that is always run from server start up?
I have a reset firewall script that once f2b is shutdown, i run and it
reloads my own pre-set rules on iptables, then i fire up f2b, i've never
had it remove rules, or chains that are not starting "f2b-chainname"
(i.e f2b-php-url-open) etc.
if you do a iptables -n -L do your f2b chains all start with chain f2b- ?
if the f2b chains are missing and all your rules are not starting as
above, i suppose there is a chance it could remove rules it never
created, although i would doubt that.
I hope this helps a little.
Steve
---
Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft.
https://www.avast.com/antivirus
------------------------------------------------------------------------------
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
