Re: [Fail2ban-users] fail2ban or iptables?

Eckert, Doug Mon, 11 Sep 2017 07:53:01 -0700

My fault for trusting what I was told instead of looking myself.

I was told the second ssh was listening on 2112, when in fact it was
listening on 22. So, fail2ban was banning port 2112, but 22 traffic was
uninhibited.


On Mon, Sep 11, 2017 at 10:28 AM, Eckert, Doug <doug.eck...@dowjones.com>
wrote:

> Here's the current date and iptables list
>
> # date
> Mon Sep 11 10:23:19 EDT 2017
> # iptables -nvL --line-numbers
> Chain INPUT (policy ACCEPT 3250 packets, 253K bytes)
> num   pkts bytes target     prot opt in     out     source
> destination
> 1        0     0 f2b-sshdext  tcp  --  *      *       0.0.0.0/0
>  0.0.0.0/0           multiport dports 2112
> 2    1891K  113M f2b-vsftpd  tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           multiport dports 21,20,990,989
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> num   pkts bytes target     prot opt in     out     source
> destination
>
> Chain OUTPUT (policy ACCEPT 3231 packets, 7088K bytes)
> num   pkts bytes target     prot opt in     out     source
> destination
>
> Chain f2b-sshdext (1 references)
> num   pkts bytes target     prot opt in     out     source
> destination
> 1        0     0 REJECT     all  --  *      *       172.26.47.66
> 0.0.0.0/0           reject-with icmp-port-unreachable
> 2        0     0 REJECT     all  --  *      *       103.89.89.149
> 0.0.0.0/0           reject-with icmp-port-unreachable
> 3        0     0 REJECT     all  --  *      *       90.150.90.116
> 0.0.0.0/0           reject-with icmp-port-unreachable
> 4        0     0 REJECT     all  --  *      *       190.218.115.115
> 0.0.0.0/0           reject-with icmp-port-unreachable
> 5        0     0 REJECT     all  --  *      *       193.201.224.212
> 0.0.0.0/0           reject-with icmp-port-unreachable
> 6        0     0 REJECT     all  --  *      *       117.239.39.51
> 0.0.0.0/0           reject-with icmp-port-unreachable
> 7        0     0 RETURN     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
> Chain f2b-vsftpd (1 references)
> num   pkts bytes target     prot opt in     out     source
> destination
> 1    1891K  113M RETURN     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
>
> And a snapshot of /var/log/secure (active sessions from that IP still
> hitting the daemon)
>
> # tail -f secure | grep failure
> Sep 11 10:24:53 #### sshdext[5573]: pam_unix(sshdext:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=193.201.224.212
> Sep 11 10:25:07 #### sshdext[5591]: pam_unix(sshdext:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=193.201.224.212
> Sep 11 10:25:13 #### sshdext[5593]: pam_unix(sshdext:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=193.201.224.212
> Sep 11 10:25:15 #### sshdext[5595]: pam_unix(sshdext:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=193.201.224.212
>
>
> 'sshdext' is a second sshd running on 2112. Entry made in /etc/services
> for it, as well as a matching file in filter.d. The regex seems to be doing
> its job, as iptables entries are there.
>
>
>
> On Sat, Sep 9, 2017 at 7:30 PM, Bill Shirley <bshirley@openmri-scottsboro.
> com> wrote:
>
>> A host can have multiple addresses; multiple PTRs can point to a host.
>> You
>> should use 'iptables -nvL' and compare banned IP addresses instead of
>> hostnames.
>>
>> Bill
>>
>>
>> On 9/9/2017 6:56 AM, Doug Eckert wrote:
>>
>> the name & port have been added to /etc/services. I also copied
>> filter.d/ssh.conf to filter.d/sshdext.conf and edited to match.
>>
>> The right source ip an dest port is added to iptables, but traffic is
>> still getting through for some reason.
>>
>> On Sat, Sep 9, 2017 at 2:07 AM Dominic Raferd <domi...@timedicer.co.uk>
>> wrote:
>>
>>> On 8 September 2017 at 16:22, Eckert, Doug <doug.eck...@dowjones.com>
>>> wrote:
>>>
>>>> CentOS 6 with fail2ban-0.9.2-1.el6.noarch, and
>>>> iptables-1.4.7-16.el6.x86_64
>>>>
>>>> Not sure where my issue lies. It appears that f2b is processing the log
>>>> file(s) fine and adding 'iptables' rules, but I still see connection
>>>> attempts and authentication errors on the ssh daemon.
>>>>
>>>> Example. From /var/log/messages, it triggered a ban for this IP at
>>>> 0858hrs
>>>>
>>>> Sep  8 08:58:20 ####### fail2ban.actions[28791]: NOTICE [sshdext] Ban
>>>> 124.190.106.117
>>>>
>>>> 'iptables' shows the IP should be DROPping
>>>>
>>>> # iptables --list
>>>> Chain INPUT (policy ACCEPT)
>>>> target     prot opt source               destination
>>>> f2b-sshdext  tcp  --  anywhere             anywhere
>>>>  multiport dports sshdext
>>>> f2b-vsftpd  tcp  --  anywhere             anywhere            multiport
>>>> dports ftp,ftp-data,ftps,ftps-data
>>>>
>>> ...
>>>>
>>> The 'sshdext' serivce is just 'sshd' running on an alternate port for
>>>> external users - corporate firewall blocks incoming port 22.
>>>>
>>>
>>> I am not an expert but I am puzzled by line:
>>>
>>> f2b-sshdext  tcp  --  anywhere             anywhere            multiport
>>> dports sshdext
>>>
>>> How does iptables --list know which port is 'sshdext'?
>>>
>>> 'iptables --list -n' will show the numeric values (and is fast), then
>>> you can see if this rule is indeed covering the correct port.
>>> ------------------------------------------------------------
>>> ------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot______
>>> _________________________________________
>>> Fail2ban-users mailing list
>>> Fail2ban-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>>>
>> --
>>
>>
>> *Doug Eckert*
>> Technical Architect - Systems Technology Services
>>
>> [image: Dow Jones] <http://www.dowjones.com/>
>>  P.O. Box 300 | Princeton NJ 08543-0300
>> (W) 609.520.4993 <(609)%20520-4993> (C) 732.666.3681 <(732)%20666-3681>
>> *Email: **doug.eck...@dowjones.com* <al...@dowjones.com>
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>
>>
>>
>> _______________________________________________
>> Fail2ban-users mailing 
>> listFail2ban-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/fail2ban-users
>>
>>
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Fail2ban-users mailing list
>> Fail2ban-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>>
>>
>
>
> --
>
>
> *Doug Eckert*
> Technical Architect - Systems Technology Services
>
> [image: Dow Jones] <http://www.dowjones.com/>
>  P.O. Box 300 | Princeton NJ 08543-0300
> (W) 609.520.4993 <(609)%20520-4993> (C) 732.666.3681 <(732)%20666-3681>
> *Email: **doug.eck...@dowjones.com* <al...@dowjones.com>
>
>
>


-- 


*Doug Eckert*
Technical Architect - Systems Technology Services

[image: Dow Jones] <http://www.dowjones.com/>
 P.O. Box 300 | Princeton NJ 08543-0300
(W) 609.520.4993 (C) 732.666.3681
*Email: **doug.eck...@dowjones.com* <al...@dowjones.com>

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] fail2ban or iptables?

Reply via email to