Re: [Fail2ban-users] fail2ban or iptables?

Sat, 09 Sep 2017 03:59:11 -0700 

the name & port have been added to /etc/services. I also copied
filter.d/ssh.conf to filter.d/sshdext.conf and edited to match.

The right source ip an dest port is added to iptables, but traffic is still
getting through for some reason.

On Sat, Sep 9, 2017 at 2:07 AM Dominic Raferd <domi...@timedicer.co.uk>
wrote:

> On 8 September 2017 at 16:22, Eckert, Doug <doug.eck...@dowjones.com>
> wrote:
>
>> CentOS 6 with fail2ban-0.9.2-1.el6.noarch, and
>> iptables-1.4.7-16.el6.x86_64
>>
>> Not sure where my issue lies. It appears that f2b is processing the log
>> file(s) fine and adding 'iptables' rules, but I still see connection
>> attempts and authentication errors on the ssh daemon.
>>
>> Example. From /var/log/messages, it triggered a ban for this IP at 0858hrs
>>
>> Sep  8 08:58:20 ####### fail2ban.actions[28791]: NOTICE [sshdext] Ban
>> 124.190.106.117
>>
>> 'iptables' shows the IP should be DROPping
>>
>> # iptables --list
>> Chain INPUT (policy ACCEPT)
>> target     prot opt source               destination
>> f2b-sshdext  tcp  --  anywhere             anywhere            multiport
>> dports sshdext
>> f2b-vsftpd  tcp  --  anywhere             anywhere            multiport
>> dports ftp,ftp-data,ftps,ftps-data
>>
> ​...
>>
> The 'sshdext' serivce is just 'sshd' running on an alternate port for
>> external users - corporate firewall blocks incoming port 22.
>>
>
> ​I am not an expert but I am puzzled by line:
>
> f2b-sshdext  tcp  --  anywhere             anywhere            multiport
> dports sshdext
>
> How does iptables --list know which port is 'sshdext'?
>
> 'iptables --list -n' will show the numeric values (and is fast), then you
> can see if this rule is indeed covering the correct port.​
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
-- 


*Doug Eckert*
Technical Architect - Systems Technology Services

[image: Dow Jones] <http://www.dowjones.com/>
 P.O. Box 300 | Princeton NJ 08543-0300
(W) 609.520.4993 (C) 732.666.3681
*Email: **doug.eck...@dowjones.com* <al...@dowjones.com>

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Reply via email to