14

Running on Ubuntu 14.04 Server.

So I have fail2ban correctly configured to process /var/log/auth.log for SSH login attempts.

Upon 3 failed attempts I see this in the fail2ban log:

2014-11-19 15:22:56,822 fail2ban.actions: WARNING [ssh] Ban BANNED_IP_ADDY

iptables -L shows this chain:

Chain fail2ban-ssh (1 references)
target     prot opt source               destination         
REJECT     all  --  BANNED_IP_ADDY  anywhere             reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere

Yet from that IP I can still login via SSH without any issues.

The same story applies for all my fail2ban jails. Apache for example, I can see fail2ban correctly detect the log and claim it bans an IP. The IP ends up in an iptables chain but the IP is not actually being REJECTED.

I have a feeling in these cases is because SSH is not on the standard port. It is on a different port.

So if I force the ssh jail rule to use the new port:

[ssh]

enabled  = true
port     = 32323
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 5

Then I see this error:

2014-11-19 15:30:06,775 fail2ban.actions.action: ERROR  iptables -D INPUT -p tcp -m multiport --dports 32323 -j fail2ban-ssh
iptables -F fail2ban-ssh
iptables -X fail2ban-ssh returned 400
2014-11-19 15:30:06,778 fail2ban.actions.action: ERROR  iptables -N fail2ban-ssh
iptables -A fail2ban-ssh -j RETURN
iptables -I INPUT -p tcp -m multiport --dports 32323 -j fail2ban-ssh returned 400
2014-11-19 15:30:06,779 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q 'fail2ban-ssh[ \t]' returned 100
2014-11-19 15:30:06,780 fail2ban.actions.action: CRITICAL Unable to restore environment

If I leave it as

 port = ssh

Then it gets into iptables properly but the chain is not working to REJECT traffic (as mentioned above).

UPDATE:

If I change:

banaction = iptables-multiport

To:

banaction = iptables-allports

Then it appears to work. What is the repercussions of this change?

It appears that causing fail2ban to ban an IP because of SSH with this allports it banned EVERY port for that IP. Purposefully got banned due to repeated ssh login fails. Also got banned on every other service.

chicks
  • 3,639
  • 10
  • 26
  • 36
Halsafar
  • 251
  • 1
  • 2
  • 8
  • Ive never ran into that issue with fail2ban. If you wish to go back to blocking the single port you might give this solution a try: http://oschgan.com/drupal/index.php?q=node/52 . Alternatively fail2ban can use other mechanisms like hosts.deny or null routes if iptables is causing grief. – digitaladdictions Apr 03 '16 at 20:29
  • Check out `/etc/fail2ban/actions.d`, it has a file corresponding to each of those ban actions. Inside you'll see which commands are used to ban, unban, start and stop fail2ban. You could try running the actionban commands manually and see what happens. I – Michael Nov 04 '16 at 02:01
  • 1
    What else is in your iptables? Please provide the full output of `iptables -L -n -v` (redacting IP addresses where necessary). In particular, note the `-v`, which will give byte and packet counters for each chain and rule, easing debugging. – jplitza Feb 03 '17 at 13:00
  • 1
    I had the exact same problem. Fail2Ban bans IP, I can see address in fail2ban chain, i got the email it's banned but ip address still has access. Changing banaction to allports worked but no idea why! – Ergec Mar 20 '17 at 05:27

2 Answers2

2

The fail2ban chains are not correctly linked to your INPUT and OUTPUT chains. Please edit your question and provide output of:

iptables -n -L INPUT
iptables -n -L OUTPUT

and all fail2ban chains too, and I'll be able to be more precise.

Marco
  • 1,679
  • 3
  • 17
  • 31
0
INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
Zareh Kasparian
  • 517
  • 3
  • 17