Re: [Fail2ban-users] fail2ban or iptables?

Eckert, Doug Mon, 11 Sep 2017 07:29:55 -0700

Here's the current date and iptables list

# date
Mon Sep 11 10:23:19 EDT 2017
# iptables -nvL --line-numbers
Chain INPUT (policy ACCEPT 3250 packets, 253K bytes)
num   pkts bytes target     prot opt in     out     source
destination
1        0     0 f2b-sshdext  tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           multiport dports 2112
2    1891K  113M f2b-vsftpd  tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           multiport dports 21,20,990,989


Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source
destination

Chain OUTPUT (policy ACCEPT 3231 packets, 7088K bytes)
num   pkts bytes target     prot opt in     out     source
destination

Chain f2b-sshdext (1 references)
num   pkts bytes target     prot opt in     out     source
destination
1        0     0 REJECT     all  --  *      *       172.26.47.66
0.0.0.0/0           reject-with icmp-port-unreachable
2        0     0 REJECT     all  --  *      *       103.89.89.149
0.0.0.0/0           reject-with icmp-port-unreachable
3        0     0 REJECT     all  --  *      *       90.150.90.116
0.0.0.0/0           reject-with icmp-port-unreachable
4        0     0 REJECT     all  --  *      *       190.218.115.115
0.0.0.0/0           reject-with icmp-port-unreachable
5        0     0 REJECT     all  --  *      *       193.201.224.212
0.0.0.0/0           reject-with icmp-port-unreachable
6        0     0 REJECT     all  --  *      *       117.239.39.51
0.0.0.0/0           reject-with icmp-port-unreachable
7        0     0 RETURN     all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain f2b-vsftpd (1 references)
num   pkts bytes target     prot opt in     out     source
destination
1    1891K  113M RETURN     all  --  *      *       0.0.0.0/0
0.0.0.0/0


And a snapshot of /var/log/secure (active sessions from that IP still
hitting the daemon)

# tail -f secure | grep failure
Sep 11 10:24:53 #### sshdext[5573]: pam_unix(sshdext:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=193.201.224.212
Sep 11 10:25:07 #### sshdext[5591]: pam_unix(sshdext:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=193.201.224.212
Sep 11 10:25:13 #### sshdext[5593]: pam_unix(sshdext:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=193.201.224.212
Sep 11 10:25:15 #### sshdext[5595]: pam_unix(sshdext:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=193.201.224.212


'sshdext' is a second sshd running on 2112. Entry made in /etc/services for
it, as well as a matching file in filter.d. The regex seems to be doing its
job, as iptables entries are there.



On Sat, Sep 9, 2017 at 7:30 PM, Bill Shirley <
bshir...@openmri-scottsboro.com> wrote:

> A host can have multiple addresses; multiple PTRs can point to a host.  You
> should use 'iptables -nvL' and compare banned IP addresses instead of
> hostnames.
>
> Bill
>
>
> On 9/9/2017 6:56 AM, Doug Eckert wrote:
>
> the name & port have been added to /etc/services. I also copied
> filter.d/ssh.conf to filter.d/sshdext.conf and edited to match.
>
> The right source ip an dest port is added to iptables, but traffic is
> still getting through for some reason.
>
> On Sat, Sep 9, 2017 at 2:07 AM Dominic Raferd <domi...@timedicer.co.uk>
> wrote:
>
>> On 8 September 2017 at 16:22, Eckert, Doug <doug.eck...@dowjones.com>
>> wrote:
>>
>>> CentOS 6 with fail2ban-0.9.2-1.el6.noarch, and
>>> iptables-1.4.7-16.el6.x86_64
>>>
>>> Not sure where my issue lies. It appears that f2b is processing the log
>>> file(s) fine and adding 'iptables' rules, but I still see connection
>>> attempts and authentication errors on the ssh daemon.
>>>
>>> Example. From /var/log/messages, it triggered a ban for this IP at
>>> 0858hrs
>>>
>>> Sep  8 08:58:20 ####### fail2ban.actions[28791]: NOTICE [sshdext] Ban
>>> 124.190.106.117
>>>
>>> 'iptables' shows the IP should be DROPping
>>>
>>> # iptables --list
>>> Chain INPUT (policy ACCEPT)
>>> target     prot opt source               destination
>>> f2b-sshdext  tcp  --  anywhere             anywhere            multiport
>>> dports sshdext
>>> f2b-vsftpd  tcp  --  anywhere             anywhere            multiport
>>> dports ftp,ftp-data,ftps,ftps-data
>>>
>> ...
>>>
>> The 'sshdext' serivce is just 'sshd' running on an alternate port for
>>> external users - corporate firewall blocks incoming port 22.
>>>
>>
>> I am not an expert but I am puzzled by line:
>>
>> f2b-sshdext  tcp  --  anywhere             anywhere            multiport
>> dports sshdext
>>
>> How does iptables --list know which port is 'sshdext'?
>>
>> 'iptables --list -n' will show the numeric values (and is fast), then you
>> can see if this rule is indeed covering the correct port.
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot______
>> _________________________________________
>> Fail2ban-users mailing list
>> Fail2ban-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>>
> --
>
>
> *Doug Eckert*
> Technical Architect - Systems Technology Services
>
> [image: Dow Jones] <http://www.dowjones.com/>
>  P.O. Box 300 | Princeton NJ 08543-0300
> (W) 609.520.4993 <(609)%20520-4993> (C) 732.666.3681 <(732)%20666-3681>
> *Email: **doug.eck...@dowjones.com* <al...@dowjones.com>
>
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> _______________________________________________
> Fail2ban-users mailing 
> listFail2ban-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
>


-- 


*Doug Eckert*
Technical Architect - Systems Technology Services

[image: Dow Jones] <http://www.dowjones.com/>
 P.O. Box 300 | Princeton NJ 08543-0300
(W) 609.520.4993 (C) 732.666.3681
*Email: **doug.eck...@dowjones.com* <al...@dowjones.com>

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] fail2ban or iptables?

Reply via email to