Hello community,
I have changed the iptables->actionban so that it runs a script instead
of the iptables command directly.
The other actions remained unchanged; I needed to do this as there are
further checks and actions I need to
do before banning an IP.
/etc/fail2ban/action.d/iptables.conf:
# actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
actionban = /my/path/banip.pl <ip> <failures> <name> <blocktype>
I reset iptables and reloaded fail2ban and tested manually to verify the
script is working:
% fail2ban-client set asterisk-iptables banip 45.146.164.110
The script is called, and parameters are correctly received. The script
also sends and email
which I received and the content is 100% the same as before this
modification, except for the fact that
I perform a DROP instead of a REJECT, here is the log and generated
command:
2021-09-25 00:20:15 cr_banip.pl :
(45.146.164.110:40:ASTERISK:REJECT) Fail2ban BAN notification
2021-09-25 00:20:15 cr_banip.pl : Banning:
2021-09-25 00:20:15 cr_banip.pl : /sbin/iptables -I f2b-ASTERISK 1
-s 45.146.164.110 -j DROP
I then can verify that it was added to iptables, by running "iptables
-L" I get this:
Chain f2b-ASTERISK (1 references)
target prot opt source destination
....
DROP all -- 45.146.164.110 anywhere
....
However, fail2ban still lists hits from the IP afterward and ultimately
the IP reaches the limit of 10 again and
it then just mentions that it was banned already:
2021-09-26 10:16:14,691 fail2ban.filter [5399]: INFO
[asterisk-iptables] Found 45.146.164.110
2021-09-26 10:16:14,922 fail2ban.filter [5399]: INFO
[asterisk-iptables] Found 45.146.164.110
2021-09-26 10:16:14,940 fail2ban.filter [5399]: INFO
[asterisk-iptables] Found 45.146.164.110
2021-09-26 10:16:15,165 fail2ban.filter [5399]: INFO
[asterisk-iptables] Found 45.146.164.110
2021-09-26 10:16:15,175 fail2ban.filter [5399]: INFO
[asterisk-iptables] Found 45.146.164.110
2021-09-26 10:16:15,423 fail2ban.filter [5399]: INFO
[asterisk-iptables] Found 45.146.164.110
2021-09-26 10:16:15,676 fail2ban.filter [5399]: INFO
[asterisk-iptables] Found 45.146.164.110
2021-09-26 10:16:15,911 fail2ban.filter [5399]: INFO
[asterisk-iptables] Found 45.146.164.110
2021-09-26 10:16:16,146 fail2ban.filter [5399]: INFO
[asterisk-iptables] Found 45.146.164.110
2021-09-26 10:16:16,381 fail2ban.filter [5399]: INFO
[asterisk-iptables] Found 45.146.164.110
2021-09-26 10:16:16,381 fail2ban.actions [5399]: NOTICE
[asterisk-iptables] 45.146.164.110 already banned
If I revert my modification and reload fail2ban, this is how the
iptables look like after (it uses REJECT instead of DROP):
Chain f2b-ASTERISK (1 references)
target prot opt source destination
REJECT all -- 45.146.164.110 anywhere
reject-with icmp-port-unreachable
The iptables output seem to be ok though, from my point of view at
least...
Thanks for any help!
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
