Nevermind, figured it out. I saw that it was looking for the packets on the regular SSH port, and I do not use the regular ssh port. Changing the action in jail.conf to iptables-allports worked correctly =) I am now successfully banned. Yay!
| Linode Forum https://forum.linode.com/ |
|
| fail2ban iptables rules not banning https://forum.linode.com/viewtopic.php?f=19&t=4804 |
Page 1 of 1 |
| Author: | arjones85 [ Fri Nov 06, 2009 11:35 pm ] |
| Post subject: | fail2ban iptables rules not banning |
I'm not quite sure why this isn't working... it should. I am testing my fail2ban installation by trying to get myself banned. Fail2ban is picking up my SSH brute force attempts, is properly banning me, the iptables rule is there.... but I can still connect to my server without a problem. fail2ban.log: [root@server2 log]# tail fail2ban.log 2009-11-06 21:27:34,766 fail2ban.actions: INFO Set banTime = 600 2009-11-06 21:27:34,823 fail2ban.jail : INFO Creating new jail 'proftpd-iptables' 2009-11-06 21:27:34,823 fail2ban.jail : INFO Jail 'proftpd-iptables' uses poller 2009-11-06 21:27:34,824 fail2ban.filter : INFO Added logfile = /var/log/secure 2009-11-06 21:27:34,825 fail2ban.filter : INFO Set maxRetry = 10 2009-11-06 21:27:34,826 fail2ban.filter : INFO Set findtime = 600 2009-11-06 21:27:34,826 fail2ban.actions: INFO Set banTime = 600 2009-11-06 21:27:34,838 fail2ban.jail : INFO Jail 'ssh-iptables' started 2009-11-06 21:27:34,839 fail2ban.jail : INFO Jail 'proftpd-iptables' started 2009-11-06 21:27:55,845 fail2ban.actions: WARNING [ssh-iptables] Ban 98.197.128.40 [root@server2 log]# iptables -L | grep 98.197.128.40 DROP all -- c-98-197-128-40.hsd1.tx.comcast.net anywhere Here is my whole iptables ruleset: [root@server2 log]# iptables -L Chain INPUT (policy DROP) target prot opt source destination fail2ban-ProFTPD tcp -- anywhere anywhere tcp dpt:ftp fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp flags:ACK/ACK ACCEPT all -- anywhere anywhere state ESTABLISHED ACCEPT all -- anywhere anywhere state RELATED ACCEPT udp -- anywhere anywhere udp spt:domain dpts:1024:65535 ACCEPT icmp -- anywhere anywhere icmp echo-reply ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp source-quench ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp parameter-problem ACCEPT tcp -- anywhere anywhere tcp dpt:smakynet ACCEPT tcp -- anywhere anywhere tcp dpt:auth ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere tcp multiport dports smtp,submission ACCEPT tcp -- anywhere anywhere tcp dpts:ftp-data:ftp ACCEPT tcp -- anywhere anywhere tcp multiport dports pop3,pop3s ACCEPT tcp -- anywhere anywhere tcp multiport dports imap,imap3,imaps ACCEPT tcp -- anywhere anywhere tcp dpts:10123:10133 ACCEPT tcp -- anywhere anywhere tcp dpt:dnp DROP all -- mail.insuranceprovidersgroup.com anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-ProFTPD (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-SSH (1 references) target prot opt source destination DROP all -- c-98-197-128-40.hsd1.tx.comcast.net anywhere RETURN all -- anywhere anywhere Any ideas why packets from me are not getting dropped like they should be? |
|
| Author: | arjones85 [ Fri Nov 06, 2009 11:41 pm ] |
| Post subject: | |
Nevermind, figured it out. I saw that it was looking for the packets on the regular SSH port, and I do not use the regular ssh port. Changing the action in jail.conf to iptables-allports worked correctly =) I am now successfully banned. Yay!
|
|
| Page 1 of 1 | All times are UTC-04:00 |
| Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |
|