Re: [Fail2ban-users] fail2ban or iptables?

Sat, 09 Sep 2017 16:32:34 -0700 

A host can have multiple addresses; multiple PTRs can point to a host.  You
should use 'iptables -nvL' and compare banned IP addresses instead of
hostnames.

Bill


On 9/9/2017 6:56 AM, Doug Eckert wrote:

the name & port have been added to /etc/services. I also copied 
filter.d/ssh.conf to filter.d/sshdext.conf and edited to match.

The right source ip an dest port is added to iptables, but traffic is still 
getting through for some reason.

On Sat, Sep 9, 2017 at 2:07 AM Dominic Raferd <domi...@timedicer.co.uk 
<mailto:domi...@timedicer.co.uk>> wrote:

    On 8 September 2017 at 16:22, Eckert, Doug <doug.eck...@dowjones.com 
<mailto:doug.eck...@dowjones.com>> wrote:

        CentOS 6 with fail2ban-0.9.2-1.el6.noarch, and 
iptables-1.4.7-16.el6.x86_64

        Not sure where my issue lies. It appears that f2b is processing the log 
file(s) fine and adding 'iptables' rules, but
        I still see connection attempts and authentication errors on the ssh 
daemon.

        Example. From /var/log/messages, it triggered a ban for this IP at 
0858hrs

        Sep  8 08:58:20 ####### fail2ban.actions[28791]: NOTICE [sshdext] Ban 
124.190.106.117

        'iptables' shows the IP should be DROPping

        # iptables --list
        Chain INPUT (policy ACCEPT)
        target     prot opt source destination
        f2b-sshdext  tcp  --  anywhere   anywhere            multiport dports 
sshdext
        f2b-vsftpd  tcp  --  anywhere anywhere            multiport dports 
ftp,ftp-data,ftps,ftps-data

        ​...

        The 'sshdext' serivce is just 'sshd' running on an alternate port for 
external users - corporate firewall blocks
        incoming port 22.


    ​I am not an expert but I am puzzled by line:

    f2b-sshdext  tcp  --  anywhere             anywhere  multiport dports 
sshdext

    How does iptables --list know which port is 'sshdext'?

    'iptables --list -n' will show the numeric values (and is fast), then you 
can see if this rule is indeed covering the
    correct port.​
    
------------------------------------------------------------------------------
    Check out the vibrant tech community on one of the world's most
    engaging tech sites, Slashdot.org! 
http://sdm.link/slashdot_______________________________________________
    Fail2ban-users mailing list
    Fail2ban-users@lists.sourceforge.net 
<mailto:Fail2ban-users@lists.sourceforge.net>
    https://lists.sourceforge.net/lists/listinfo/fail2ban-users

--


*Doug Eckert*
Technical Architect - Systems Technology Services

Dow Jones <http://www.dowjones.com/>

 P.O. Box 300 | Princeton NJ 08543-0300
(W) 609.520.4993 (C) 732.666.3681
*Email: **doug.eck...@dowjones.com* <mailto:al...@dowjones.com>**




------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Reply via email to