Re: [Fail2ban-users] Problem running a script as an iptables action

Tue, 28 Sep 2021 13:14:02 -0700 


On 28/09/2021 20:18, Frederic Jean wrote:



On 28-09-21 03:21:45, "Nick Howitt" <n...@howitts.co.uk 
<mailto:n...@howitts.co.uk>> wrote:


On 28/09/2021 03:32, Frederic Jean wrote:

Hello community,

I have changed the iptables->actionban so that it runs a script 
instead of the iptables command directly.
The other actions remained unchanged; I needed to do this as there are 
further checks and actions I need to

do before banning an IP.
/etc/fail2ban/action.d/iptables.conf:
*# actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype> *
*actionban = /my/path/banip.pl <ip> <failures> <name> <blocktype>*

I reset iptables and reloaded fail2ban and tested manually to verify 
the script is working:

    % *fail2ban-client set asterisk-iptables banip 45.146.164.110*

The script is called, and parameters are correctly received. The 
script also sends and email
which I received and the content is 100% the same as before this 
modification, except for the fact that
I perform a DROP instead of a REJECT, here is the log and generated 
command:
    2021-09-25 00:20:15 cr_banip.pl : 
(*45.146.164.110:40:ASTERISK:REJECT*) Fail2ban BAN notification

    2021-09-25 00:20:15 cr_banip.pl : Banning:

    2021-09-25 00:20:15 cr_banip.pl : */sbin/iptables -I f2b-ASTERISK 
1 -s 45.146.164.110 -j DROP*
I then can verify that it was added to iptables, by running "iptables 
-L" I get this:

    Chain f2b-ASTERISK (1 references)
    target     prot opt source               destination
    ....
    DROP       all  --  45.146.164.110       anywhere
    ....

However, fail2ban still lists hits from the IP afterward and 
ultimately the IP reaches the limit of 10 again and

it then just mentions that it was banned already:

    2021-09-26 10:16:14,691 fail2ban.filter         [5399]: INFO 
[asterisk-iptables] Found 45.146.164.110
    2021-09-26 10:16:14,922 fail2ban.filter         [5399]: INFO 
[asterisk-iptables] Found 45.146.164.110
    2021-09-26 10:16:14,940 fail2ban.filter         [5399]: INFO 
[asterisk-iptables] Found 45.146.164.110
    2021-09-26 10:16:15,165 fail2ban.filter         [5399]: INFO 
[asterisk-iptables] Found 45.146.164.110
    2021-09-26 10:16:15,175 fail2ban.filter         [5399]: INFO 
[asterisk-iptables] Found 45.146.164.110
    2021-09-26 10:16:15,423 fail2ban.filter         [5399]: INFO 
[asterisk-iptables] Found 45.146.164.110
    2021-09-26 10:16:15,676 fail2ban.filter         [5399]: INFO 
[asterisk-iptables] Found 45.146.164.110
    2021-09-26 10:16:15,911 fail2ban.filter         [5399]: INFO 
[asterisk-iptables] Found 45.146.164.110
    2021-09-26 10:16:16,146 fail2ban.filter         [5399]: INFO 
[asterisk-iptables] Found 45.146.164.110
    2021-09-26 10:16:16,381 fail2ban.filter         [5399]: INFO 
[asterisk-iptables] Found 45.146.164.110
    2021-09-26 10:16:16,381 fail2ban.actions        [5399]: NOTICE 
[asterisk-iptables] 45.146.164.110 *already banned *
If I revert my modification and reload fail2ban, this is how the 
iptables look like after (it uses REJECT instead of DROP):

    Chain f2b-ASTERISK (1 references)
    target     prot opt source               destination

    REJECT     all  --  45.146.164.110       anywhere  reject-with 
icmp-port-unreachable
The iptables output seem to be ok though, from my point of view at 
least...

Thanks for any help!
_______________________________________________
Fail2ban-users mailing list

Fail2ban-users@lists.sourceforge.net 
<mailto:Fail2ban-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/fail2ban-users 
<https://lists.sourceforge.net/lists/listinfo/fail2ban-users>

Can I suggest you add a "-w" to your iptables command. You may find that 
your own command without the -w is beating the actionstart command and 
stopping it from being applied, so, although your chain f2b-ASTERISK 
looks OK, you may be missing the jump from the INPUT chain to 
f2b-ASTERISK. Your logs may show this as well.

_______________________________________________
Fail2ban-users mailing list

Fail2ban-users@lists.sourceforge.net 
<mailto:Fail2ban-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/fail2ban-users 
<https://lists.sourceforge.net/lists/listinfo/fail2ban-users>


Thanks for replying;


I see what you mean, I tried adding it to the command but doing so and 
reloading everything had the effect

of the rules not being inserted, the chain remained empty:

     Chain f2b-ASTERISK (0 references)

      pkts bytes target     prot opt in     out     source              
  destination



I am unsure of what -w does; I am using iptables v1.4.7 and it is not 
documented.

I am also using Fail2ban v0.9.6.


The lockingopt option in /etc/fail2ban/action.d/iptables-common.conf is 
also empty.
Just for testing if I add it fail2ban complains that is shall be run 
using an argument and got tons of errors.


Is there a way out of it?


If your iptables is that old then the -w switch does not exist. You will 
need to remove it again. Then check your INPUT chain that you have a 
jump rule to f2b-ASTERISK. If you don't, check your actionstart rule.



_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users






















					Reply via email to