[Fail2ban-users] fail2ban or iptables?

Eckert, Doug Fri, 08 Sep 2017 06:54:50 -0700

CentOS 6 with fail2ban-0.9.2-1.el6.noarch, and iptables-1.4.7-16.el6.x86_64


Not sure where my issue lies. It appears that f2b is processing the log
file(s) fine and adding 'iptables' rules, but I still see connection
attempts and authentication errors on the ssh daemon.

Example. From /var/log/messages, it triggered a ban for this IP at 0858hrs

Sep  8 08:58:20 ####### fail2ban.actions[28791]: NOTICE [sshdext] Ban
124.190.106.117

'iptables' shows the IP should be DROPping

# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
f2b-sshdext  tcp  --  anywhere             anywhere            multiport
dports sshdext
f2b-vsftpd  tcp  --  anywhere             anywhere            multiport
dports ftp,ftp-data,ftps,ftps-data

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain f2b-sshdext (1 references)
target     prot opt source               destination
DROP       all  --  dynamicip-94-180-107-204.pppoe.nsk.ertelecom.ru
 anywhere
DROP       all  --  CPE-124-190-106-117.vic.bigpond.net.au  anywhere
        <<<<<<<<<<<<<<<<
DROP       all  --  clientes.143-137-79-250.dynamic.net4you.psi.br  anywhere
DROP       all  --  59.45.175.98         anywhere
DROP       all  --  59.45.175.97         anywhere
DROP       all  --  13.84.188.226        anywhere
RETURN     all  --  anywhere             anywhere

Chain f2b-vsftpd (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

However, minutes later, the daemon still logging connections and
authentication errors...

Sep  8 09:02:50 ### sshdext[29248]: pam_unix(sshdext:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=
cpe-124-190-106-117.vic.bigpond.net.au
Sep  8 09:02:52 ### sshdext[29250]: Connection from 124.190.106.117 port
60685
Sep  8 09:02:54 ### sshdext[29250]: pam_unix(sshdext:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=
cpe-124-190-106-117.vic.bigpond.net.au
Sep  8 09:02:58 ### sshdext[29258]: Connection from 124.190.106.117 port
60697
Sep  8 09:03:00 ### sshdext[29258]: pam_unix(sshdext:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=
cpe-124-190-106-117.vic.bigpond.net.au
Sep  8 09:03:02 ### sshdext[29260]: Connection from 124.190.106.117 port
60708
Sep  8 09:03:05 ### sshdext[29260]: pam_unix(sshdext:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=
cpe-124-190-106-117.vic.bigpond.net.au


The 'sshdext' serivce is just 'sshd' running on an alternate port for
external users - corporate firewall blocks incoming port 22.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

[Fail2ban-users] fail2ban or iptables?

Reply via email to