Hello Bill,
there is no Load-Balancer on the machine. The machine is a simple
webnode, where a loadbalancer sends requests to, which are then answered
by the node - directly to the requesting client.
This is done by simple iptable rules:
root@xxx:/etc/network/if-pre-up.d# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere 185.55.25.xxx tcp dpt:http
to:185.55.25.xxx:80
DNAT tcp -- anywhere 185.55.25.xxx tcp dpt:https
to:185.55.25.xxx:443
it seems like f2b has trouble managing it's chains on my machine. The
chains just vanish at some point.
root@xxx:~# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
They seem to get lost - and afterwards I get the "already banned"
entries in the log.
Before the "already banned" problem - this seems to happen:
2016-04-06 08:53:19,351 fail2ban.filter [3526]: INFO [ssh] Found
146.0.77.xxx
2016-04-06 08:53:19,352 fail2ban.filter [3526]: INFO [sshd] Found
146.0.77.xxx
2016-04-06 08:53:19,577 fail2ban.filter [3526]: INFO [ssh] Found
146.0.77.xxx
2016-04-06 08:53:19,578 fail2ban.filter [3526]: INFO [sshd] Found
146.0.77.xxx
2016-04-06 08:53:21,608 fail2ban.filter [3526]: INFO [sshd] Found
146.0.77.xxx
2016-04-06 08:53:21,609 fail2ban.filter [3526]: INFO [ssh] Found
146.0.77.xxx
2016-04-06 08:53:21,731 fail2ban.actions [3526]: NOTICE [sshd] Ban
146.0.77.xxx
2016-04-06 08:53:21,836 fail2ban.action [3526]: ERROR iptables -w -n
-L INPUT | grep -q 'f2b-sshd[ \t]' -- stdout: ''
2016-04-06 08:53:21,836 fail2ban.action [3526]: ERROR iptables -w -n
-L INPUT | grep -q 'f2b-sshd[ \t]' -- stderr: ''
2016-04-06 08:53:21,836 fail2ban.action [3526]: ERROR iptables -w -n
-L INPUT | grep -q 'f2b-sshd[ \t]' -- returned 1
2016-04-06 08:53:21,836 fail2ban.CommandAction [3526]: ERROR Invariant check
failed. Trying to restore a sane environment
2016-04-06 08:53:21,941 fail2ban.action [3526]: ERROR iptables -w -D
INPUT -p tcp -m multiport --dports ssh -j f2b-sshd
iptables -w -F f2b-sshd
iptables -w -X f2b-sshd -- stdout: ''
2016-04-06 08:53:21,941 fail2ban.action [3526]: ERROR iptables -w -D
INPUT -p tcp -m multiport --dports ssh -j f2b-sshd
iptables -w -F f2b-sshd
iptables -w -X f2b-sshd -- stderr: "iptables v1.4.21: Couldn't load target
`f2b-sshd':No such file or directory\n\nTry `iptables -h' or 'iptables --help' for more
information.\niptables: No chain/target/match by that name.\niptables: No
chain/target/match by that name.\n"
2016-04-06 08:53:21,941 fail2ban.action [3526]: ERROR iptables -w -D
INPUT -p tcp -m multiport --dports ssh -j f2b-sshd
iptables -w -F f2b-sshd
iptables -w -X f2b-sshd -- returned 1
2016-04-06 08:53:21,942 fail2ban.actions [3526]: ERROR Failed to execute ban jail 'sshd' action 'iptables-multiport'
info 'CallingMap({'ipjailmatches': <function <lambda> at 0x7f3f3dfff938>, 'matches': u'Apr 6 08:53:19 bmn1
sshd[15131]: Invalid user ftpuser from 146.0.77.xxx\nApr 6 08:53:19 bmn1 sshd[15131]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=146.0.77.xxx \nApr 6 08:53:21 bmn1 sshd[15131]: Failed password for
invalid user ftpuser from 146.0.77.xxx port 50352 ssh2', 'ip': '146.0.77.xxx', 'ipmatches': <function <lambda> at
0x7f3f3dfff848>, 'ipfailures': <function <lambda> at 0x7f3f3dfff7d0>, 'time': 1459925601.7313, 'failures': 3,
'ipjailfailures': <function <lambda> at 0x7f3f3dfff758>})': Error stopping action
The "fail2ban.action" Errors seem to span all jails, so I guess there is
something wrong going on here.
My config in /etc/fail2ban/jail.local:
# Fail2Ban configuration file.
#
# This file was composed for Debian systems from the original one
# provided now under /usr/share/doc/fail2ban/examples/jail.conf
# for additional examples.
#
# Comments: use '#' for comment lines and ';' for inline comments
#
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local
#
# The DEFAULT allows a global definition of the options. They can be
overridden
# in each jail afterwards.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban
will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8 185.55.25.119
# "bantime" is the number of seconds that a host is banned.
bantime = 7200
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600
maxretry = 3
# "backend" specifies the backend used to get files modification.
# Available options are "pyinotify", "gamin", "polling" and "auto".
# This option can be overridden in each jail as well.
#
# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
# If pyinotify is not installed, Fail2ban will use auto.
# gamin: requires Gamin (a file alteration monitor) to be installed.
# If Gamin is not installed, Fail2ban will use auto.
# polling: uses a polling algorithm which does not require external
libraries.
# auto: will try to use the following backends, in order:
# pyinotify, gamin, polling.
backend = auto
# "usedns" specifies if jails should trust hostnames in logs,
# warn when reverse DNS lookups are performed, or ignore all hostnames
in logs
#
# yes: if a hostname is encountered, a reverse DNS lookup will be
performed.
# warn: if a hostname is encountered, a reverse DNS lookup will be
performed,
# but it will be logged as a warning.
# no: if a hostname is encountered, will not be used for banning,
# but it will be logged as info.
usedns = warn
#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = [email protected]
#
# Name of the sender for mta actions
sendername = Fail2BanAlerts
#
# ACTIONS
#
# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport
# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = sendmail
# Default protocol
protocol = tcp
# Specify chain where jumps would need to be added in iptables-* actions
chain = INPUT
#
# Action shortcuts. To be used to define action parameter
# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s",
protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s",
protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s",
protocol="%(protocol)s", chain="%(chain)s", sendername="%(sendername)s"]
# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s",
protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s,
dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s",
sendername="%(sendername)s"]
# Choose default action. To change, just override value of 'action'
with the
# interpolation to the chosen action shortcut (e.g. action_mw,
action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s
#
# JAILS
#
# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
# was shipped in Debian. Enable any defined here jail by including
#
# [SECTION_NAME]
# enabled = true
#
# in /etc/fail2ban/jail.local.
#
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
[dropbear]
enabled = false
port = ssh
filter = dropbear
logpath = /var/log/auth.log
maxretry = 6
# Generic filter for pam. Has to be used with action which bans all ports
# such as iptables-allports, shorewall
[pam-generic]
enabled = false
# pam-generic filter can be customized to monitor specific subset of 'tty's
filter = pam-generic
# port actually must be irrelevant but lets leave it all for some
possible uses
port = all
banaction = iptables-allports
port = anyport
logpath = /var/log/auth.log
maxretry = 6
[xinetd-fail]
enabled = false
filter = xinetd-fail
port = all
banaction = iptables-multiport-log
logpath = /var/log/daemon.log
maxretry = 2
[ssh-ddos]
enabled = false
port = ssh
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = 6
# Here we use blackhole routes for not requiring any additional kernel
support
# to store large volumes of banned IPs
[ssh-route]
enabled = false
filter = sshd
action = route
logpath = /var/log/sshd.log
maxretry = 6
# Here we use a combination of Netfilter/Iptables and IPsets
# for storing large volumes of banned IPs
#
# IPset comes in two versions. See ipset -V for which one to use
# requires the ipset package and kernel support.
[ssh-iptables-ipset4]
enabled = false
port = ssh
filter = sshd
banaction = iptables-ipset-proto4
logpath = /var/log/sshd.log
maxretry = 6
[ssh-iptables-ipset6]
enabled = false
port = ssh
filter = sshd
banaction = iptables-ipset-proto6
logpath = /var/log/sshd.log
maxretry = 6
#
# HTTP servers
#
[apache]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache2/error.log
maxretry = 5
findtime = 600
# default action is now multiport, so apache-multiport jail was left
# for compatibility with previous (<0.7.6-2) releases
[apache-multiport]
enabled = false
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6
[apache-noscript]
enabled = false
port = http,https
filter = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 6
[apache-overflows]
enabled = true
port = http,https
filter = apache-overflows
logpath = /var/log/apache2/error.log
maxretry = 2
[apache-badbots]
enabled = true
port = http,https
filter = apache-badbots
logpath = /var/log/apache2/error.log
maxretry = 2
[apache-nohome]
enabled = true
port = http,https
filter = apache-nohome
logpath = /var/log/apache2/error.log
maxretry = 2
[hn-apache-retry-ban]
enabled = true
port = http,https
filter = hn-apache-retry-ban
logpath = /var/log/apache2/access.log
maxretry = 5
# Ban attackers that try to use PHP's URL-fopen() functionality
# through GET/POST variables. - Experimental, with more than a year
# of usage in production environments.
[php-url-fopen]
enabled = true
port = http,https
filter = php-url-fopen
logpath = /var/log/apache*/*access.log
# A simple PHP-fastcgi jail which works with lighttpd.
# If you run a lighttpd server, then you probably will
# find these kinds of messages in your error_log:
# ALERT – tried to register forbidden variable ‘GLOBALS’
# through GET variables (attacker '1.2.3.4', file
'/var/www/default/htdocs/index.php')
[lighttpd-fastcgi]
enabled = false
port = http,https
filter = lighttpd-fastcgi
logpath = /var/log/lighttpd/error.log
# Same as above for mod_auth
# It catches wrong authentifications
[lighttpd-auth]
enabled = false
port = http,https
filter = suhosin
logpath = /var/log/lighttpd/error.log
[nginx-http-auth]
enabled = false
filter = nginx-http-auth
port = http,https
logpath = /var/log/nginx/error.log
# Monitor roundcube server
[roundcube-auth]
enabled = false
filter = roundcube-auth
port = http,https
logpath = /var/log/roundcube/userlogins
[sogo-auth]
enabled = false
filter = sogo-auth
port = http, https
# without proxy this would be:
# port = 20000
logpath = /var/log/sogo/sogo.log
#
# FTP servers
#
[vsftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = vsftpd
logpath = /var/log/vsftpd.log
# or overwrite it in jails.local to be
# logpath = /var/log/auth.log
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
maxretry = 6
[proftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = proftpd
logpath = /var/log/proftpd/proftpd.log
maxretry = 6
[pure-ftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = pure-ftpd
logpath = /var/log/syslog
maxretry = 6
[wuftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = wuftpd
logpath = /var/log/syslog
maxretry = 6
#
# Mail servers
#
[postfix]
enabled = false
port = smtp,ssmtp,submission
filter = postfix
logpath = /var/log/mail.log
[couriersmtp]
enabled = false
port = smtp,ssmtp,submission
filter = couriersmtp
logpath = /var/log/mail.log
#
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
# all relevant ports get banned
#
[courierauth]
enabled = false
port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
filter = courierlogin
logpath = /var/log/mail.log
[sasl]
enabled = false
port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
filter = postfix-sasl
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath = /var/log/mail.log
[dovecot]
enabled = false
port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
filter = dovecot
logpath = /var/log/mail.log
# To log wrong MySQL access attempts add to /etc/my.cnf:
# log-error=/var/log/mysqld.log
# log-warning = 2
[mysqld-auth]
enabled = false
filter = mysqld-auth
port = 3306
logpath = /var/log/mysqld.log
# DNS Servers
# These jails block attacks against named (bind9). By default, logging
is off
# with bind9 installation. You will need something like this:
#
# logging {
# channel security_file {
# file "/var/log/named/security.log" versions 3 size 30m;
# severity dynamic;
# print-time yes;
# };
# category security {
# security_file;
# };
# };
#
# in your named.conf to provide proper logging
# !!! WARNING !!!
# Since UDP is connection-less protocol, spoofing of IP and imitation
# of illegal actions is way too simple. Thus enabling of this filter
# might provide an easy way for implementing a DoS against a chosen
# victim. See
# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
# Please DO NOT USE this jail unless you know what you are doing.
#[named-refused-udp]
#
#enabled = false
#port = domain,953
#protocol = udp
#filter = named-refused
#logpath = /var/log/named/security.log
[named-refused-tcp]
enabled = false
port = domain,953
protocol = tcp
filter = named-refused
logpath = /var/log/named/security.log
# Multiple jails, 1 per protocol, are necessary ATM:
# see https://github.com/fail2ban/fail2ban/issues/37
[asterisk-tcp]
enabled = false
filter = asterisk
port = 5060,5061
protocol = tcp
logpath = /var/log/asterisk/messages
[asterisk-udp]
enabled = false
filter = asterisk
port = 5060,5061
protocol = udp
logpath = /var/log/asterisk/messages
# Jail for more extended banning of persistent abusers
# !!! WARNING !!!
# Make sure that your loglevel specified in fail2ban.conf/.local
# is not at DEBUG level -- which might then cause fail2ban to fall into
# an infinite loop constantly feeding itself with non-informative lines
[recidive]
enabled = false
filter = recidive
logpath = /var/log/fail2ban.log
action = iptables-allports[name=recidive]
sendmail-whois-lines[name=recidive,
logpath=/var/log/fail2ban.log]
bantime = 604800 ; 1 week
findtime = 86400 ; 1 day
maxretry = 5
##################################################################
The Jail Actions are all "out of the box" except
/etc/fail2ban/filter.d/hn-apache-retry-ban.conf
[Definition]
# Use this for "soft" bad behaviour, as the source will only be banned after
multiple retries.
failregex = ^<HOST> -.*"POST (/shop/downloader/index.php\?A=loggedin HTTP.*"
302|/shop/index.php/backend HTTP.*" 200|/shop/index.php/backend/index/.* HTTP.*" 200).*$
ignoreregex =
This is meant to ban repeated faild login to Magento E-Commerce and the
Downloader component.
Thank you again for any hints concerning these trobles!
Best regards,
Alexander
On 08.04.2016 04:20, Bill Shirley wrote:
As far as I know, fail2ban never "reloads" the firewall rules.
fail2ban just manages its chains. Perhaps there's something
in the "load-balancer" doing this.
You should list your action rules and jail.
-> I have a startup script, that sets the Firewall NAT rules on every
startup of the system in RC4.
iptables defaults to -t filter which is what your including here. You
should be using -t nat if you think it's changing the NAT rules.
Bill
On 4/7/2016 7:33 AM, Alexander R. Gruber wrote:
Thank you Steve, for your answer.
To your questions:
How do you have the load balanced rules set? are they persistent in a
file that is always run from server start up?
-> I have a startup script, that sets the Firewall NAT rules on every startup
of the system in RC4.
Every few hours f2b reloads the Firewall rules from its database (according to
the log) and when that happens the NAT rules vanish from my server - leading to
a STOP in service, as the loadbalancing breaks.
The time this happens is every few hours and always goes hand in hand with the time in
the f2b log where the system does the before mentioned process of "resetting"
and loading stuff from its database.
So I have a strong bias towards f2b being the "culprit" as this is the only
process that fiddles around with the IPtables in the first instance.
I also noticed very strange things:
<snip>
2016-04-07 13:22:19,849 fail2ban.filter [3526]: INFO [ssh] Found
183.3.202.xxx
2016-04-07 13:22:20,294 fail2ban.actions [3526]: NOTICE [sshd]
183.3.202.200 already banned
2016-04-07 13:22:21,836 fail2ban.filter [3526]: INFO [ssh] Found
183.3.202.xxx
2016-04-07 13:22:21,837 fail2ban.filter [3526]: INFO [sshd] Found
183.3.202.xxx
2016-04-07 13:22:28,687 fail2ban.filter [3526]: INFO [sshd] Found
183.3.202.xxx
2016-04-07 13:22:28,688 fail2ban.filter [3526]: INFO [ssh] Found
183.3.202.xxx
2016-04-07 13:22:30,912 fail2ban.filter [3526]: INFO [ssh] Found
183.3.202.xxx
2016-04-07 13:22:30,913 fail2ban.filter [3526]: INFO [sshd] Found
183.3.202.xxx
2016-04-07 13:22:31,306 fail2ban.actions [3526]: NOTICE [sshd]
183.3.202.xxx already banned
2016-04-07 13:22:31,857 fail2ban.actions [3526]: NOTICE [ssh]
183.3.202.xxx already banned
2016-04-07 13:22:42,443 fail2ban.filter [3526]: INFO [sshd] Found
183.3.202.xxx
2016-04-07 13:22:42,445 fail2ban.filter [3526]: INFO [ssh] Found
183.3.202.xxx
2016-04-07 13:22:44,260 fail2ban.filter [3526]: INFO [sshd] Found
183.3.202.xxx
2016-04-07 13:22:44,260 fail2ban.filter [3526]: INFO [ssh] Found
183.3.202.xxx
2016-04-07 13:22:50,860 fail2ban.filter [3526]: INFO [sshd] Found
183.3.202.xxx
2016-04-07 13:22:50,861 fail2ban.filter [3526]: INFO [ssh] Found
183.3.202.xxx
2016-04-07 13:22:51,329 fail2ban.actions [3526]: NOTICE [sshd]
183.3.202.xxx already banned
2016-04-07 13:22:53,105 fail2ban.filter [3526]: INFO [sshd] Found
183.3.202.xxx
2016-04-07 13:22:53,106 fail2ban.filter [3526]: INFO [ssh] Found
183.3.202.xxx
2016-04-07 13:23:00,356 fail2ban.filter [3526]: INFO [ssh] Found
183.3.202.xxx
2016-04-07 13:23:00,358 fail2ban.filter [3526]: INFO [sshd] Found
183.3.202.xxx
2016-04-07 13:23:01,974 fail2ban.filter [3526]: INFO [ssh] Found
183.3.202.xxx
2016-04-07 13:23:01,975 fail2ban.filter [3526]: INFO [sshd] Found
183.3.202.xxx
2016-04-07 13:23:02,342 fail2ban.actions [3526]: NOTICE [sshd]
183.3.202.xxx already banned
2016-04-07 13:23:02,893 fail2ban.actions [3526]: NOTICE [ssh]
183.3.202.xxx already banned
root@xxx:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root@bmn1:~# sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
The chain rules seem to be empty ...
root@xxx:~# service fail2ban restart
* Restarting authentication failure monitor fail2ban
root@xxx:~# iptables -n -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-hn-apache-retry-ban tcp -- 0.0.0.0/0 0.0.0.0/0
multiport dports 80,443
f2b-apache tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports
80,443
f2b-ssh tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports
22
f2b-php-url-fopen tcp -- 0.0.0.0/0 0.0.0.0/0 multiport
dports 80,443
f2b-apache-nohome tcp -- 0.0.0.0/0 0.0.0.0/0 multiport
dports 80,443
f2b-apache-overflows tcp -- 0.0.0.0/0 0.0.0.0/0
multiport dports 80,443
f2b-apache-badbots tcp -- 0.0.0.0/0 0.0.0.0/0
multiport dports 80,443
f2b-sshd tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports
22
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain f2b-apache (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain f2b-apache-badbots (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain f2b-apache-nohome (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain f2b-apache-overflows (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain f2b-hn-apache-retry-ban (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain f2b-php-url-fopen (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain f2b-ssh (1 references)
target prot opt source destination
REJECT all -- 221.229.162.xxx 0.0.0.0/0 reject-with
icmp-port-unreachable
REJECT all -- 183.3.202.xxx 0.0.0.0/0 reject-with
icmp-port-unreachable
REJECT all -- 111.13.70.xxx 0.0.0.0/0 reject-with
icmp-port-unreachable
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain f2b-sshd (1 references)
target prot opt source destination
REJECT all -- 221.229.162.xxx 0.0.0.0/0 reject-with
icmp-port-unreachable
REJECT all -- 186.228.90.xxx 0.0.0.0/0 reject-with
icmp-port-unreachable
REJECT all -- 183.3.202.xxx 0.0.0.0/0 reject-with
icmp-port-unreachable
REJECT all -- 14.139.46.xxx 0.0.0.0/0 reject-with
icmp-port-unreachable
REJECT all -- 111.13.70.xxx 0.0.0.0/0 reject-with
icmp-port-unreachable
RETURN all -- 0.0.0.0/0 0.0.0.0/0
After an explicit restart, the system seems to be up and running again ...
I feel a bit at loss here ...
Thanks for any hints!
Alexander
By design, f2b (when restarting) unblocks all blocked IP addresses
within its own DB, it then removes the f2b chains from iptables. It then
starts up creating the chains and re-adds the IP's that are within the
selected time scale of bans.
It does not remove anything other than its own chains in IPtables.
How do you have the load balanced rules set? are they persistent in a
file that is always run from server start up?
I have a reset firewall script that once f2b is shutdown, i run and it
reloads my own pre-set rules on iptables, then i fire up f2b, i've never
had it remove rules, or chains that are not starting "f2b-chainname"
(i.e f2b-php-url-open) etc.
if you do a iptables -n -L do your f2b chains all start with chain f2b- ?
if the f2b chains are missing and all your rules are not starting as
above, i suppose there is a chance it could remove rules it never
created, although i would doubt that.
I hope this helps a little.
Steve
---
Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft.
https://www.avast.com/antivirus
------------------------------------------------------------------------------
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
---
Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft.
https://www.avast.com/antivirus
------------------------------------------------------------------------------
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
