I have installed fail2ban on aws rhel 7 box. There, I have setup firewall
rules allowing incoming traffic on ports 22 and 80.
I created this jail
[apache-xmlrpc]
enabled = true
port = http
protocol = tcp
filter = apache-xmlrpc
logpath = /var/log/httpd/access_log
maxretry = 10
# findtime: 10 mins
findtime = 600
# bantime: 1 week
bantime = 604800
with this filter
[Definition]
failregex = ^<HOST> .*POST .*xmlrpc\.php.*
ignoreregex =
Looking at iptables, I get
Chain IN_public_allow (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ctstate NEW
Why IN_public_allow chain doesn't include?
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ctstate NEW
In any case, entering the following line ma seems to take care of the
problem.
iptables -A IN_public_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate
NEW -j ACCEPT.
What needs to be to done so that it should be included or perhaps I
misconfigured it?
Furthermore,
Looking at fail2ban.log,
2016-05-23 08:47:20,019 fail2ban.actions [5354]: NOTICE
[apache-xmlrpc] 185.47.62.118 already banned
2016-05-23 08:47:20,174 fail2ban.filter [5354]: INFO
[apache-xmlrpc] Found 185.47.62.118
2016-05-23 08:47:20,895 fail2ban.filter [5354]: INFO
[apache-xmlrpc] Found 185.47.62.118
2016-05-23 08:47:21,634 fail2ban.filter [5354]: INFO
[apache-xmlrpc] Found 185.47.62.118
2016-05-23 08:47:23,386 fail2ban.filter [5354]: INFO
[apache-xmlrpc] Found 185.47.62.118
2016-05-23 08:47:24,127 fail2ban.filter [5354]: INFO
[apache-xmlrpc] Found 185.47.62.118
2016-05-23 08:47:25,879 fail2ban.filter [5354]: INFO
[apache-xmlrpc] Found 185.47.62.118
2016-05-23 08:47:27,627 fail2ban.filter [5354]: INFO
[apache-xmlrpc] Found 185.47.62.118
2016-05-23 08:47:28,368 fail2ban.filter [5354]: INFO
[apache-xmlrpc] Found 185.47.62.118
2016-05-23 08:47:29,117 fail2ban.filter [5354]: INFO
[apache-xmlrpc] Found 185.47.62.118
2016-05-23 08:47:31,866 fail2ban.filter [5354]: INFO
[apache-xmlrpc] Found 185.47.62.118
2016-05-23 08:47:32,033 fail2ban.actions [5354]: NOTICE
[apache-xmlrpc] 185.47.62.118 already banned
2016-05-23 08:47:34,602 fail2ban.filter [5354]: INFO
[apache-xmlrpc] Found 185.47.62.118
2016-05-23 08:47:35,376 fail2ban.filter [5354]: INFO
[apache-xmlrpc] Found 185.47.62.118
2016-05-23 08:47:37,089 fail2ban.filter [5354]: INFO
[apache-xmlrpc] Found 185.47.62.118
2016-05-23 08:47:40,847 fail2ban.filter [5354]: INFO
[apache-xmlrpc] Found 185.47.62.118
2016-05-23 08:47:41,602 fail2ban.filter [5354]: INFO
[apache-xmlrpc] Found 185.47.62.118
2016-05-23 08:47:42,349 fail2ban.filter [5354]: INFO
[apache-xmlrpc] Found 185.47.62.118
2016-05-23 08:47:44,091 fail2ban.filter [5354]: INFO
[apache-xmlrpc] Found 185.47.62.118
2016-05-23 08:47:45,839 fail2ban.filter [5354]: INFO
[apache-xmlrpc] Found 185.47.62.118
2016-05-23 08:47:46,616 fail2ban.filter [5354]: INFO
[apache-xmlrpc] Found 185.47.62.118
2016-05-23 08:47:47,349 fail2ban.filter [5354]: INFO
[apache-xmlrpc] Found 185.47.62.118
2016-05-23 08:47:48,049 fail2ban.actions [5354]: NOTICE
[apache-xmlrpc] 185.47.62.118 already banned
Shouldn't this ip address185.47.62.118 have been added to IN_public_deny?
Why are there further post attempts from this client?
Thanks in advance
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
