What I've found on my system (ClearOS) is, from the way the system is
implemented, that a firewall restart can happen for all sorts of
reasons. When it happens all f2b rules and chains get wiped. Clearly at
this point, if f2b tries to add a block it will fail.
To get round this I had to add a "service fail2ban reload" command to
the firewall reloading (for me I added a configlet
/etc/clearos/firewall.d/30-fail2ban with the command but this is distro
specific)
What you need to do is find the Ubuntu commands that run when the
firewall (re)loads and add an f2b reload command to it.
It may be that the /etc/network/if-pre-up.d is the place to put the
command but it does not seem right. You'd get away with it if that is
the only event which could cause the firewall to reload but is it? I
would rather tag the commands directly onto the firewall reloading
commands if at all possible.
Note I am not sure this is really an f2b issue unless they want to
address what happens to f2b when a firewall reloads. They perhaps could
monitor if the firewall chains and rules redirecting traffic through the
chains have disappeared then reload them or reload f2b in its entirety,
but is would be an enhancement.
Nick
On 2016-04-08 08:21, Tom Hendrikx wrote:
> Hi,
>
>
> You have firewall rules disappearing out of the blue, and you also have
> fail2ban chains missing out of the blue (see error log below).
>
> Seems to be you need to look for a third process meddling with your
> firewall, both f2b and your loadbalancer rules are ruined over by some
> other process.
>
> Regards,
> Tom
>
> On 08-04-16 03:44, Alexander R. Gruber wrote:
>> Hello Bill,
>>
>> there is no Load-Balancer on the machine. The machine is a simple
>> webnode, where a loadbalancer sends requests to, which are then
>> answered
>> by the node - directly to the requesting client.
>> This is done by simple iptable rules:
>>
>> root@xxx:/etc/network/if-pre-up.d# iptables -L -t nat
>>
>> Chain PREROUTING (policy ACCEPT)
>>
>> target prot opt source destination
>>
>> DNAT tcp -- anywhere 185.55.25.xxx tcp
>> dpt:http to:185.55.25.xxx:80
>>
>> DNAT tcp -- anywhere 185.55.25.xxx tcp
>> dpt:https to:185.55.25.xxx:443
>>
>>
>> it seems like f2b has trouble managing it's chains on my machine. The
>> chains just vanish at some point.
>>
>> root@xxx:~# iptables -L -n
>>
>> Chain INPUT (policy ACCEPT)
>>
>> target prot opt source destination
>>
>> Chain FORWARD (policy ACCEPT)
>>
>> target prot opt source destination
>>
>> Chain OUTPUT (policy ACCEPT)
>>
>> target prot opt source destination
>>
>> They seem to get lost - and afterwards I get the "already banned"
>> entries in the log.
>> Before the "already banned" problem - this seems to happen:
>>
>> 2016-04-06 08:53:19,351 fail2ban.filter [3526]: INFO [ssh]
>> Found 146.0.77.xxx
>>
>> 2016-04-06 08:53:19,352 fail2ban.filter [3526]: INFO [sshd]
>> Found 146.0.77.xxx
>>
>> 2016-04-06 08:53:19,577 fail2ban.filter [3526]: INFO [ssh]
>> Found 146.0.77.xxx
>>
>> 2016-04-06 08:53:19,578 fail2ban.filter [3526]: INFO [sshd]
>> Found 146.0.77.xxx
>>
>> 2016-04-06 08:53:21,608 fail2ban.filter [3526]: INFO [sshd]
>> Found 146.0.77.xxx
>>
>> 2016-04-06 08:53:21,609 fail2ban.filter [3526]: INFO [ssh]
>> Found 146.0.77.xxx
>>
>> 2016-04-06 08:53:21,731 fail2ban.actions [3526]: NOTICE [sshd]
>> Ban 146.0.77.xxx
>>
>> 2016-04-06 08:53:21,836 fail2ban.action [3526]: ERROR
>> iptables -w -n -L INPUT | grep -q 'f2b-sshd[ \t]' -- stdout: ''
>>
>> 2016-04-06 08:53:21,836 fail2ban.action [3526]: ERROR
>> iptables -w -n -L INPUT | grep -q 'f2b-sshd[ \t]' -- stderr: ''
>>
>> 2016-04-06 08:53:21,836 fail2ban.action [3526]: ERROR
>> iptables -w -n -L INPUT | grep -q 'f2b-sshd[ \t]' -- returned 1
>>
>> 2016-04-06 08:53:21,836 fail2ban.CommandAction [3526]: ERROR
>> Invariant check failed. Trying to restore a sane environment
>>
>> 2016-04-06 08:53:21,941 fail2ban.action [3526]: ERROR
>> iptables -w -D INPUT -p tcp -m multiport --dports ssh -j f2b-sshd
>>
>> iptables -w -F f2b-sshd
>>
>> iptables -w -X f2b-sshd -- stdout: ''
>>
>> 2016-04-06 08:53:21,941 fail2ban.action [3526]: ERROR
>> iptables -w -D INPUT -p tcp -m multiport --dports ssh -j f2b-sshd
>>
>> iptables -w -F f2b-sshd
>>
>> iptables -w -X f2b-sshd -- stderr: "iptables v1.4.21: Couldn't load
>> target `f2b-sshd':No such file or directory\n\nTry `iptables -h' or
>> 'iptables --help' for more information.\niptables: No
>> chain/target/match by that name.\niptables: No chain/target/match by
>> that name.\n"
>>
>> 2016-04-06 08:53:21,941 fail2ban.action [3526]: ERROR
>> iptables -w -D INPUT -p tcp -m multiport --dports ssh -j f2b-sshd
>>
>> iptables -w -F f2b-sshd
>>
>> iptables -w -X f2b-sshd -- returned 1
>>
>> 2016-04-06 08:53:21,942 fail2ban.actions [3526]: ERROR Failed
>> to execute ban jail 'sshd' action 'iptables-multiport' info
>> 'CallingMap({'ipjailmatches': <function <lambda> at 0x7f3f3dfff938>,
>> 'matches': u'Apr 6 08:53:19 bmn1 sshd[15131]: Invalid user ftpuser
>> from 146.0.77.xxx\nApr 6 08:53:19 bmn1 sshd[15131]:
>> pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
>> tty=ssh ruser= rhost=146.0.77.xxx \nApr 6 08:53:21 bmn1 sshd[15131]:
>> Failed password for invalid user ftpuser from 146.0.77.xxx port 50352
>> ssh2', 'ip': '146.0.77.xxx', 'ipmatches': <function <lambda> at
>> 0x7f3f3dfff848>, 'ipfailures': <function <lambda> at 0x7f3f3dfff7d0>,
>> 'time': 1459925601.7313, 'failures': 3, 'ipjailfailures': <function
>> <lambda> at 0x7f3f3dfff758>})': Error stopping action
>>
>>
>> The "fail2ban.action" Errors seem to span all jails, so I guess there
>> is
>> something wrong going on here.
>>
>> My config in /etc/fail2ban/jail.local:
>>
>> # Fail2Ban configuration file.
>> #
>> # This file was composed for Debian systems from the original one
>> # provided now under /usr/share/doc/fail2ban/examples/jail.conf
>> # for additional examples.
>> #
>> # Comments: use '#' for comment lines and ';' for inline comments
>> #
>> # To avoid merges during upgrades DO NOT MODIFY THIS FILE
>> # and rather provide your changes in /etc/fail2ban/jail.local
>> #
>>
>> # The DEFAULT allows a global definition of the options. They can be
>> overridden
>> # in each jail afterwards.
>>
>> [DEFAULT]
>>
>> # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban
>> will not
>> # ban a host which matches an address in this list. Several addresses
>> can be
>> # defined using space separator.
>> ignoreip = 127.0.0.1/8 185.55.25.119
>>
>> # "bantime" is the number of seconds that a host is banned.
>> bantime = 7200
>>
>> # A host is banned if it has generated "maxretry" during the last
>> "findtime"
>> # seconds.
>> findtime = 600
>> maxretry = 3
>>
>> # "backend" specifies the backend used to get files modification.
>> # Available options are "pyinotify", "gamin", "polling" and "auto".
>> # This option can be overridden in each jail as well.
>> #
>> # pyinotify: requires pyinotify (a file alteration monitor) to be
>> installed.
>> # If pyinotify is not installed, Fail2ban will use auto.
>> # gamin: requires Gamin (a file alteration monitor) to be
>> installed.
>> # If Gamin is not installed, Fail2ban will use auto.
>> # polling: uses a polling algorithm which does not require external
>> libraries.
>> # auto: will try to use the following backends, in order:
>> # pyinotify, gamin, polling.
>> backend = auto
>>
>> # "usedns" specifies if jails should trust hostnames in logs,
>> # warn when reverse DNS lookups are performed, or ignore all
>> hostnames
>> in logs
>> #
>> # yes: if a hostname is encountered, a reverse DNS lookup will be
>> performed.
>> # warn: if a hostname is encountered, a reverse DNS lookup will be
>> performed,
>> # but it will be logged as a warning.
>> # no: if a hostname is encountered, will not be used for banning,
>> # but it will be logged as info.
>> usedns = warn
>>
>> #
>> # Destination email address used solely for the interpolations in
>> # jail.{conf,local} configuration files.
>> destemail = [email protected]
>>
>> #
>> # Name of the sender for mta actions
>> sendername = Fail2BanAlerts
>>
>> #
>> # ACTIONS
>> #
>>
>> # Default banning action (e.g. iptables, iptables-new,
>> # iptables-multiport, shorewall, etc) It is used to define
>> # action_* variables. Can be overridden globally or per
>> # section within jail.local file
>> banaction = iptables-multiport
>>
>>
>> # email action. Since 0.8.1 upstream fail2ban uses sendmail
>> # MTA for the mailing. Change mta configuration parameter to mail
>> # if you want to revert to conventional 'mail'.
>> mta = sendmail
>>
>> # Default protocol
>> protocol = tcp
>>
>> # Specify chain where jumps would need to be added in iptables-*
>> actions
>> chain = INPUT
>>
>> #
>> # Action shortcuts. To be used to define action parameter
>>
>> # The simplest action to take: ban only
>> action_ = %(banaction)s[name=%(__name__)s, port="%(port)s",
>> protocol="%(protocol)s", chain="%(chain)s"]
>>
>> # ban & send an e-mail with whois report to the destemail.
>> action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s",
>> protocol="%(protocol)s", chain="%(chain)s"]
>> %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s",
>> protocol="%(protocol)s", chain="%(chain)s",
>> sendername="%(sendername)s"]
>>
>> # ban & send an e-mail with whois report and relevant log lines
>> # to the destemail.
>> action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s",
>> protocol="%(protocol)s", chain="%(chain)s"]
>> %(mta)s-whois-lines[name=%(__name__)s,
>> dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s",
>> sendername="%(sendername)s"]
>>
>> # Choose default action. To change, just override value of 'action'
>> with the
>> # interpolation to the chosen action shortcut (e.g. action_mw,
>> action_mwl, etc) in jail.local
>> # globally (section [DEFAULT]) or per specific section
>> action = %(action_)s
>>
>> #
>> # JAILS
>> #
>>
>> # Next jails corresponds to the standard configuration in Fail2ban 0.6
>> which
>> # was shipped in Debian. Enable any defined here jail by including
>> #
>> # [SECTION_NAME]
>> # enabled = true
>>
>> #
>> # in /etc/fail2ban/jail.local.
>> #
>> # Optionally you may override any other parameter (e.g. banaction,
>> # action, port, logpath, etc) in that section within jail.local
>>
>> [ssh]
>>
>> enabled = true
>> port = ssh
>> filter = sshd
>> logpath = /var/log/auth.log
>> maxretry = 6
>>
>> [dropbear]
>>
>> enabled = false
>> port = ssh
>> filter = dropbear
>> logpath = /var/log/auth.log
>> maxretry = 6
>>
>> # Generic filter for pam. Has to be used with action which bans all
>> ports
>> # such as iptables-allports, shorewall
>> [pam-generic]
>>
>> enabled = false
>> # pam-generic filter can be customized to monitor specific subset of
>> 'tty's
>> filter = pam-generic
>> # port actually must be irrelevant but lets leave it all for some
>> possible uses
>> port = all
>> banaction = iptables-allports
>> port = anyport
>> logpath = /var/log/auth.log
>> maxretry = 6
>>
>> [xinetd-fail]
>>
>> enabled = false
>> filter = xinetd-fail
>> port = all
>> banaction = iptables-multiport-log
>> logpath = /var/log/daemon.log
>> maxretry = 2
>>
>>
>> [ssh-ddos]
>>
>> enabled = false
>> port = ssh
>> filter = sshd-ddos
>> logpath = /var/log/auth.log
>> maxretry = 6
>>
>>
>> # Here we use blackhole routes for not requiring any additional kernel
>> support
>> # to store large volumes of banned IPs
>>
>> [ssh-route]
>>
>> enabled = false
>> filter = sshd
>> action = route
>> logpath = /var/log/sshd.log
>> maxretry = 6
>>
>>
>> # Here we use a combination of Netfilter/Iptables and IPsets
>> # for storing large volumes of banned IPs
>> #
>> # IPset comes in two versions. See ipset -V for which one to use
>> # requires the ipset package and kernel support.
>> [ssh-iptables-ipset4]
>>
>> enabled = false
>> port = ssh
>> filter = sshd
>> banaction = iptables-ipset-proto4
>> logpath = /var/log/sshd.log
>> maxretry = 6
>>
>> [ssh-iptables-ipset6]
>>
>> enabled = false
>> port = ssh
>> filter = sshd
>> banaction = iptables-ipset-proto6
>> logpath = /var/log/sshd.log
>> maxretry = 6
>>
>>
>> #
>> # HTTP servers
>> #
>>
>> [apache]
>>
>> enabled = true
>> port = http,https
>> filter = apache-auth
>> logpath = /var/log/apache2/error.log
>> maxretry = 5
>> findtime = 600
>>
>> # default action is now multiport, so apache-multiport jail was left
>> # for compatibility with previous (<0.7.6-2) releases
>> [apache-multiport]
>>
>> enabled = false
>> port = http,https
>> filter = apache-auth
>> logpath = /var/log/apache*/*error.log
>> maxretry = 6
>>
>> [apache-noscript]
>>
>> enabled = false
>> port = http,https
>> filter = apache-noscript
>> logpath = /var/log/apache*/*error.log
>> maxretry = 6
>>
>> [apache-overflows]
>>
>> enabled = true
>> port = http,https
>> filter = apache-overflows
>> logpath = /var/log/apache2/error.log
>> maxretry = 2
>>
>>
>> [apache-badbots]
>>
>> enabled = true
>> port = http,https
>> filter = apache-badbots
>> logpath = /var/log/apache2/error.log
>> maxretry = 2
>>
>> [apache-nohome]
>>
>> enabled = true
>> port = http,https
>> filter = apache-nohome
>> logpath = /var/log/apache2/error.log
>> maxretry = 2
>>
>> [hn-apache-retry-ban]
>>
>> enabled = true
>> port = http,https
>> filter = hn-apache-retry-ban
>> logpath = /var/log/apache2/access.log
>> maxretry = 5
>>
>> # Ban attackers that try to use PHP's URL-fopen() functionality
>> # through GET/POST variables. - Experimental, with more than a year
>> # of usage in production environments.
>>
>> [php-url-fopen]
>>
>> enabled = true
>> port = http,https
>> filter = php-url-fopen
>> logpath = /var/log/apache*/*access.log
>>
>> # A simple PHP-fastcgi jail which works with lighttpd.
>> # If you run a lighttpd server, then you probably will
>> # find these kinds of messages in your error_log:
>> # ALERT – tried to register forbidden variable ‘GLOBALS’
>> # through GET variables (attacker '1.2.3.4', file
>> '/var/www/default/htdocs/index.php')
>>
>> [lighttpd-fastcgi]
>>
>> enabled = false
>> port = http,https
>> filter = lighttpd-fastcgi
>> logpath = /var/log/lighttpd/error.log
>>
>> # Same as above for mod_auth
>> # It catches wrong authentifications
>>
>> [lighttpd-auth]
>>
>> enabled = false
>> port = http,https
>> filter = suhosin
>> logpath = /var/log/lighttpd/error.log
>>
>> [nginx-http-auth]
>>
>> enabled = false
>> filter = nginx-http-auth
>> port = http,https
>> logpath = /var/log/nginx/error.log
>>
>> # Monitor roundcube server
>>
>> [roundcube-auth]
>>
>> enabled = false
>> filter = roundcube-auth
>> port = http,https
>> logpath = /var/log/roundcube/userlogins
>>
>>
>> [sogo-auth]
>>
>> enabled = false
>> filter = sogo-auth
>> port = http, https
>> # without proxy this would be:
>> # port = 20000
>> logpath = /var/log/sogo/sogo.log
>>
>>
>> #
>> # FTP servers
>> #
>>
>> [vsftpd]
>>
>> enabled = false
>> port = ftp,ftp-data,ftps,ftps-data
>> filter = vsftpd
>> logpath = /var/log/vsftpd.log
>> # or overwrite it in jails.local to be
>> # logpath = /var/log/auth.log
>> # if you want to rely on PAM failed login attempts
>> # vsftpd's failregex should match both of those formats
>> maxretry = 6
>>
>>
>> [proftpd]
>>
>> enabled = false
>> port = ftp,ftp-data,ftps,ftps-data
>> filter = proftpd
>> logpath = /var/log/proftpd/proftpd.log
>> maxretry = 6
>>
>>
>> [pure-ftpd]
>>
>> enabled = false
>> port = ftp,ftp-data,ftps,ftps-data
>> filter = pure-ftpd
>> logpath = /var/log/syslog
>> maxretry = 6
>>
>>
>> [wuftpd]
>>
>> enabled = false
>> port = ftp,ftp-data,ftps,ftps-data
>> filter = wuftpd
>> logpath = /var/log/syslog
>> maxretry = 6
>>
>>
>> #
>> # Mail servers
>> #
>>
>> [postfix]
>>
>> enabled = false
>> port = smtp,ssmtp,submission
>> filter = postfix
>> logpath = /var/log/mail.log
>>
>>
>> [couriersmtp]
>>
>> enabled = false
>> port = smtp,ssmtp,submission
>> filter = couriersmtp
>> logpath = /var/log/mail.log
>>
>>
>> #
>> # Mail servers authenticators: might be used for smtp,ftp,imap
>> servers, so
>> # all relevant ports get banned
>> #
>>
>> [courierauth]
>>
>> enabled = false
>> port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
>> filter = courierlogin
>> logpath = /var/log/mail.log
>>
>>
>> [sasl]
>>
>> enabled = false
>> port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
>> filter = postfix-sasl
>> # You might consider monitoring /var/log/mail.warn instead if you are
>> # running postfix since it would provide the same log lines at the
>> # "warn" level but overall at the smaller filesize.
>> logpath = /var/log/mail.log
>>
>> [dovecot]
>>
>> enabled = false
>> port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
>> filter = dovecot
>> logpath = /var/log/mail.log
>>
>> # To log wrong MySQL access attempts add to /etc/my.cnf:
>> # log-error=/var/log/mysqld.log
>> # log-warning = 2
>> [mysqld-auth]
>>
>> enabled = false
>> filter = mysqld-auth
>> port = 3306
>> logpath = /var/log/mysqld.log
>>
>>
>> # DNS Servers
>>
>>
>> # These jails block attacks against named (bind9). By default, logging
>> is off
>> # with bind9 installation. You will need something like this:
>> #
>> # logging {
>> # channel security_file {
>> # file "/var/log/named/security.log" versions 3 size 30m;
>> # severity dynamic;
>> # print-time yes;
>> # };
>> # category security {
>> # security_file;
>> # };
>> # };
>> #
>> # in your named.conf to provide proper logging
>>
>> # !!! WARNING !!!
>> # Since UDP is connection-less protocol, spoofing of IP and
>> imitation
>> # of illegal actions is way too simple. Thus enabling of this
>> filter
>> # might provide an easy way for implementing a DoS against a chosen
>> # victim. See
>> #
>> http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
>> # Please DO NOT USE this jail unless you know what you are doing.
>> #[named-refused-udp]
>> #
>> #enabled = false
>> #port = domain,953
>> #protocol = udp
>> #filter = named-refused
>> #logpath = /var/log/named/security.log
>>
>> [named-refused-tcp]
>>
>> enabled = false
>> port = domain,953
>> protocol = tcp
>> filter = named-refused
>> logpath = /var/log/named/security.log
>>
>> # Multiple jails, 1 per protocol, are necessary ATM:
>> # see https://github.com/fail2ban/fail2ban/issues/37
>> [asterisk-tcp]
>>
>> enabled = false
>> filter = asterisk
>> port = 5060,5061
>> protocol = tcp
>> logpath = /var/log/asterisk/messages
>>
>> [asterisk-udp]
>>
>> enabled = false
>> filter = asterisk
>> port = 5060,5061
>> protocol = udp
>> logpath = /var/log/asterisk/messages
>>
>>
>> # Jail for more extended banning of persistent abusers
>> # !!! WARNING !!!
>> # Make sure that your loglevel specified in fail2ban.conf/.local
>> # is not at DEBUG level -- which might then cause fail2ban to fall
>> into
>> # an infinite loop constantly feeding itself with non-informative
>> lines
>> [recidive]
>>
>> enabled = false
>> filter = recidive
>> logpath = /var/log/fail2ban.log
>> action = iptables-allports[name=recidive]
>> sendmail-whois-lines[name=recidive,
>> logpath=/var/log/fail2ban.log]
>> bantime = 604800 ; 1 week
>> findtime = 86400 ; 1 day
>> maxretry = 5
>>
>> ##################################################################
>>
>> The Jail Actions are all "out of the box" except
>> /etc/fail2ban/filter.d/hn-apache-retry-ban.conf
>>
>> [Definition]
>>
>> # Use this for "soft" bad behaviour, as the source will only be banned
>> after multiple retries.
>>
>> failregex = ^<HOST> -.*"POST (/shop/downloader/index.php\?A=loggedin
>> HTTP.*" 302|/shop/index.php/backend HTTP.*"
>> 200|/shop/index.php/backend/index/.* HTTP.*" 200).*$
>>
>> ignoreregex =
>>
>> This is meant to ban repeated faild login to Magento E-Commerce and
>> the
>> Downloader component.
>>
>> Thank you again for any hints concerning these trobles!
>> Best regards,
>> Alexander
>>
>> On 08.04.2016 04:20, Bill Shirley wrote:
>>> As far as I know, fail2ban never "reloads" the firewall rules.
>>> fail2ban just manages its chains. Perhaps there's something
>>> in the "load-balancer" doing this.
>>>
>>> You should list your action rules and jail.
>>> -> I have a startup script, that sets the Firewall NAT rules on every
>>> startup of the system in RC4.
>>> iptables defaults to -t filter which is what your including here.
>>> You
>>> should be using -t nat if you think it's changing the NAT rules.
>>>
>>> Bill
>>>
>>> On 4/7/2016 7:33 AM, Alexander R. Gruber wrote:
>>>> Thank you Steve, for your answer.
>>>>
>>>> To your questions:
>>>>
>>>>> How do you have the load balanced rules set? are they persistent in
>>>>> a
>>>>> file that is always run from server start up?
>>>> -> I have a startup script, that sets the Firewall NAT rules on
>>>> every startup of the system in RC4.
>>>>
>>>> Every few hours f2b reloads the Firewall rules from its database
>>>> (according to the log) and when that happens the NAT rules vanish
>>>> from my server - leading to a STOP in service, as the loadbalancing
>>>> breaks.
>>>>
>>>> The time this happens is every few hours and always goes hand in
>>>> hand with the time in the f2b log where the system does the before
>>>> mentioned process of "resetting" and loading stuff from its
>>>> database.
>>>> So I have a strong bias towards f2b being the "culprit" as this is
>>>> the only process that fiddles around with the IPtables in the first
>>>> instance.
>>>>
>>>> I also noticed very strange things:
>>>>
>>>> <snip>
>>>> 2016-04-07 13:22:19,849 fail2ban.filter [3526]: INFO
>>>> [ssh] Found 183.3.202.xxx
>>>> 2016-04-07 13:22:20,294 fail2ban.actions [3526]: NOTICE
>>>> [sshd] 183.3.202.200 already banned
>>>> 2016-04-07 13:22:21,836 fail2ban.filter [3526]: INFO
>>>> [ssh] Found 183.3.202.xxx
>>>> 2016-04-07 13:22:21,837 fail2ban.filter [3526]: INFO
>>>> [sshd] Found 183.3.202.xxx
>>>> 2016-04-07 13:22:28,687 fail2ban.filter [3526]: INFO
>>>> [sshd] Found 183.3.202.xxx
>>>> 2016-04-07 13:22:28,688 fail2ban.filter [3526]: INFO
>>>> [ssh] Found 183.3.202.xxx
>>>> 2016-04-07 13:22:30,912 fail2ban.filter [3526]: INFO
>>>> [ssh] Found 183.3.202.xxx
>>>> 2016-04-07 13:22:30,913 fail2ban.filter [3526]: INFO
>>>> [sshd] Found 183.3.202.xxx
>>>> 2016-04-07 13:22:31,306 fail2ban.actions [3526]: NOTICE
>>>> [sshd] 183.3.202.xxx already banned
>>>> 2016-04-07 13:22:31,857 fail2ban.actions [3526]: NOTICE
>>>> [ssh] 183.3.202.xxx already banned
>>>> 2016-04-07 13:22:42,443 fail2ban.filter [3526]: INFO
>>>> [sshd] Found 183.3.202.xxx
>>>> 2016-04-07 13:22:42,445 fail2ban.filter [3526]: INFO
>>>> [ssh] Found 183.3.202.xxx
>>>> 2016-04-07 13:22:44,260 fail2ban.filter [3526]: INFO
>>>> [sshd] Found 183.3.202.xxx
>>>> 2016-04-07 13:22:44,260 fail2ban.filter [3526]: INFO
>>>> [ssh] Found 183.3.202.xxx
>>>> 2016-04-07 13:22:50,860 fail2ban.filter [3526]: INFO
>>>> [sshd] Found 183.3.202.xxx
>>>> 2016-04-07 13:22:50,861 fail2ban.filter [3526]: INFO
>>>> [ssh] Found 183.3.202.xxx
>>>> 2016-04-07 13:22:51,329 fail2ban.actions [3526]: NOTICE
>>>> [sshd] 183.3.202.xxx already banned
>>>> 2016-04-07 13:22:53,105 fail2ban.filter [3526]: INFO
>>>> [sshd] Found 183.3.202.xxx
>>>> 2016-04-07 13:22:53,106 fail2ban.filter [3526]: INFO
>>>> [ssh] Found 183.3.202.xxx
>>>> 2016-04-07 13:23:00,356 fail2ban.filter [3526]: INFO
>>>> [ssh] Found 183.3.202.xxx
>>>> 2016-04-07 13:23:00,358 fail2ban.filter [3526]: INFO
>>>> [sshd] Found 183.3.202.xxx
>>>> 2016-04-07 13:23:01,974 fail2ban.filter [3526]: INFO
>>>> [ssh] Found 183.3.202.xxx
>>>> 2016-04-07 13:23:01,975 fail2ban.filter [3526]: INFO
>>>> [sshd] Found 183.3.202.xxx
>>>> 2016-04-07 13:23:02,342 fail2ban.actions [3526]: NOTICE
>>>> [sshd] 183.3.202.xxx already banned
>>>> 2016-04-07 13:23:02,893 fail2ban.actions [3526]: NOTICE
>>>> [ssh] 183.3.202.xxx already banned
>>>> root@xxx:~# iptables -L
>>>> Chain INPUT (policy ACCEPT)
>>>> target prot opt source destination
>>>>
>>>> Chain FORWARD (policy ACCEPT)
>>>> target prot opt source destination
>>>>
>>>> Chain OUTPUT (policy ACCEPT)
>>>> target prot opt source destination
>>>> root@bmn1:~# sudo iptables -L
>>>> Chain INPUT (policy ACCEPT)
>>>> target prot opt source destination
>>>>
>>>> Chain FORWARD (policy ACCEPT)
>>>> target prot opt source destination
>>>>
>>>> Chain OUTPUT (policy ACCEPT)
>>>> target prot opt source destination
>>>>
>>>> The chain rules seem to be empty ...
>>>>
>>>> root@xxx:~# service fail2ban restart
>>>> * Restarting authentication failure monitor fail2ban
>>>> root@xxx:~# iptables -n -L
>>>> Chain INPUT (policy ACCEPT)
>>>> target prot opt source destination
>>>> f2b-hn-apache-retry-ban tcp -- 0.0.0.0/0 0.0.0.0/0
>>>> multiport dports 80,443
>>>> f2b-apache tcp -- 0.0.0.0/0 0.0.0.0/0
>>>> multiport dports 80,443
>>>> f2b-ssh tcp -- 0.0.0.0/0 0.0.0.0/0
>>>> multiport dports 22
>>>> f2b-php-url-fopen tcp -- 0.0.0.0/0 0.0.0.0/0
>>>> multiport dports 80,443
>>>> f2b-apache-nohome tcp -- 0.0.0.0/0 0.0.0.0/0
>>>> multiport dports 80,443
>>>> f2b-apache-overflows tcp -- 0.0.0.0/0 0.0.0.0/0
>>>> multiport dports 80,443
>>>> f2b-apache-badbots tcp -- 0.0.0.0/0 0.0.0.0/0
>>>> multiport dports 80,443
>>>> f2b-sshd tcp -- 0.0.0.0/0 0.0.0.0/0
>>>> multiport dports 22
>>>>
>>>> Chain FORWARD (policy ACCEPT)
>>>> target prot opt source destination
>>>>
>>>> Chain OUTPUT (policy ACCEPT)
>>>> target prot opt source destination
>>>>
>>>> Chain f2b-apache (1 references)
>>>> target prot opt source destination
>>>> RETURN all -- 0.0.0.0/0 0.0.0.0/0
>>>>
>>>> Chain f2b-apache-badbots (1 references)
>>>> target prot opt source destination
>>>> RETURN all -- 0.0.0.0/0 0.0.0.0/0
>>>>
>>>> Chain f2b-apache-nohome (1 references)
>>>> target prot opt source destination
>>>> RETURN all -- 0.0.0.0/0 0.0.0.0/0
>>>>
>>>> Chain f2b-apache-overflows (1 references)
>>>> target prot opt source destination
>>>> RETURN all -- 0.0.0.0/0 0.0.0.0/0
>>>>
>>>> Chain f2b-hn-apache-retry-ban (1 references)
>>>> target prot opt source destination
>>>> RETURN all -- 0.0.0.0/0 0.0.0.0/0
>>>>
>>>> Chain f2b-php-url-fopen (1 references)
>>>> target prot opt source destination
>>>> RETURN all -- 0.0.0.0/0 0.0.0.0/0
>>>>
>>>> Chain f2b-ssh (1 references)
>>>> target prot opt source destination
>>>> REJECT all -- 221.229.162.xxx 0.0.0.0/0
>>>> reject-with icmp-port-unreachable
>>>> REJECT all -- 183.3.202.xxx 0.0.0.0/0
>>>> reject-with icmp-port-unreachable
>>>> REJECT all -- 111.13.70.xxx 0.0.0.0/0
>>>> reject-with icmp-port-unreachable
>>>> RETURN all -- 0.0.0.0/0 0.0.0.0/0
>>>>
>>>> Chain f2b-sshd (1 references)
>>>> target prot opt source destination
>>>> REJECT all -- 221.229.162.xxx 0.0.0.0/0
>>>> reject-with icmp-port-unreachable
>>>> REJECT all -- 186.228.90.xxx 0.0.0.0/0
>>>> reject-with icmp-port-unreachable
>>>> REJECT all -- 183.3.202.xxx 0.0.0.0/0
>>>> reject-with icmp-port-unreachable
>>>> REJECT all -- 14.139.46.xxx 0.0.0.0/0
>>>> reject-with icmp-port-unreachable
>>>> REJECT all -- 111.13.70.xxx 0.0.0.0/0
>>>> reject-with icmp-port-unreachable
>>>> RETURN all -- 0.0.0.0/0 0.0.0.0/0
>>>>
>>>> After an explicit restart, the system seems to be up and running
>>>> again ...
>>>>
>>>> I feel a bit at loss here ...
>>>>
>>>> Thanks for any hints!
>>>> Alexander
>>>>
>>>>> By design, f2b (when restarting) unblocks all blocked IP addresses
>>>>> within its own DB, it then removes the f2b chains from iptables. It
>>>>> then
>>>>> starts up creating the chains and re-adds the IP's that are within
>>>>> the
>>>>> selected time scale of bans.
>>>>>
>>>>> It does not remove anything other than its own chains in IPtables.
>>>>>
>>>>> How do you have the load balanced rules set? are they persistent in
>>>>> a
>>>>> file that is always run from server start up?
>>>>>
>>>>> I have a reset firewall script that once f2b is shutdown, i run and
>>>>> it
>>>>> reloads my own pre-set rules on iptables, then i fire up f2b, i've
>>>>> never
>>>>> had it remove rules, or chains that are not starting
>>>>> "f2b-chainname"
>>>>> (i.e f2b-php-url-open) etc.
>>>>>
>>>>> if you do a iptables -n -L do your f2b chains all start with chain
>>>>> f2b- ?
>>>>> if the f2b chains are missing and all your rules are not starting
>>>>> as
>>>>> above, i suppose there is a chance it could remove rules it never
>>>>> created, although i would doubt that.
>>>>>
>>>>> I hope this helps a little.
>>>>>
>>>>> Steve
>>>> ---
>>>> Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft.
>>>> https://www.avast.com/antivirus
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> _______________________________________________
>>>> Fail2ban-users mailing list
>>>> [email protected]
>>>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>>
>>>
>>> _______________________________________________
>>> Fail2ban-users mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>>
>>
>> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
>> Virenfrei. www.avast.com
>> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>>
>>
>>
>> _______________________________________________
>> Fail2ban-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Fail2ban-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
