Hi,
The shorewall jail is a just a command that tells the running shorewall
instance to ban the ip adress. Depending on the version of shorewall
you're using, the ban might never be stored on disk. See
http://shorewall.org/blacklisting_support.htm#idm43 for details.
If there is anything that applies changes to iptables outside of
shorewall, that might cause the jail/ban to be removed also.
Kind regards,
Tom
On 22-05-19 12:12, Steven Barthen via Fail2ban-users wrote:
Hello
I'm using fail2ban with shorewall to get rid some nasty scanners.
As the amount is getting worse, I increased the time for my bans on SSHD
to 7 days as I recently got 1400+ connections a day and I wanted it to stop.
But I experienced that even with that 7 days ban, the keep connecting
every ~ 10min.
Still ending up with 30-40 connections per IP.
So I cleaned my jail.local an only kept default, sshd and the issues
stay same.
Im using "shorewall" as banaction, and it works well for the most part.
I can use "shorewall show dynamic" to see all the IP that are banned
ending up there.
BUT after some time, ~9min the ban just disappears from "shorewall show
dynamic" list. And the fail2ban doesnt show an "unban" event. Shortly
after that the IP connects, is detected and banned again.
I manually added IP's to the shorewall banlist and I can say that they
don't disappear the same way the fail2ban IP's do.
so for examle this list with custom and fail2ban IP's
Chain dynamic (5 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all -- * * 192.0.0.1 0.0.0.0/0
<http://0.0.0.0/0>
316 18960 DROP all -- * * 118.25.xxx.98 0.0.0.0/0
<http://0.0.0.0/0>
0 0 DROP all -- * * 134.119.xxx.37 0.0.0.0/0
<http://0.0.0.0/0>
0 0 DROP all -- * * 177.101.xxx.26 0.0.0.0/0
<http://0.0.0.0/0>
0 0 DROP all -- * * 182.162.xxx.185
0.0.0.0/0 <http://0.0.0.0/0>
0 0 DROP all -- * * 192.0.0.2 0.0.0.0/0
<http://0.0.0.0/0>
(manually added 192.0.0) will look like
Chain dynamic (5 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all -- * * 192.0.0.1 0.0.0.0/0
<http://0.0.0.0/0>
0 0 DROP all -- * * 192.0.0.2 0.0.0.0/0
<http://0.0.0.0/0>
0 0 DROP all -- * * 118.25.xxx.98 0.0.0.0/0
<http://0.0.0.0/0>
0 0 DROP all -- * * 134.119.xxx.37 0.0.0.0/0
<http://0.0.0.0/0>
0 0 DROP all -- * * 177.101.xxx.26 0.0.0.0/0
<http://0.0.0.0/0>
0 0 DROP all -- * * 182.162.xxx.185
0.0.0.0/0 <http://0.0.0.0/0>
after some minutes and NO unban anywhere on the fail2ban-logs
So currently there are 125 IP's "banned" by fail2ban SSH but only ~30
actually appear in the shorewall banlist.
my jail.local:
#####
[DEFAULT]
bantime = 3600
banaction = shorewall
banaction_allports = shorewall
ignoreip = 127.0.0.1
maxretry = 3
[sshd]
enabled = true
port = ssh
bantime = 423360
findtime = 3600
maxretry = 1
#####
I'm using fail2ban-client version: 0.9.6
Any ideas what could cause the ban's to disappear? I checked all
logfiles for dropped IP's/bans but couldn't find anything...
Regards
Steven
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
