2

I've created a jail and action in an attempt to catch "DDoS attacks", however the log files show errors for this jail whenever I restart Fail2Ban. The jail & filter seem fairly straightforward, and reproduced in several blogs, but the one I've used for comparison is here.

This is the jail:

[http-get-dos]
enabled = true
filter = http-get-dos
action =  iptables[name=Http-Get-Dos, port="http,https"]
logpath = %(apache_access_log)s
maxretry = 300
findtime = 300
bantime = 300

and this is the filter:

# Fail2Ban configuration file
#
[Definition]

# Option: failregex
# Note: This regex will match any GET entry in your logs
# You should set up in the jail.conf file, the maxretry and findtime carefully

failregex = ^<HOST> -.*"(GET|POST).*

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#

This all looks straightforward, but for some reason if I restart the service after enabling this jail, I see the following errors in the Fail2ban log:

2017-11-04 12:48:13,296 fail2ban.jail           [1460]: INFO    Creating new jail 'http-get-dos'
2017-11-04 12:48:13,298 fail2ban.jail           [1460]: INFO    Jail 'http-get-dos' uses poller
2017-11-04 12:48:13,300 fail2ban.filter         [1460]: INFO    Set jail log file encoding to UTF-8
2017-11-04 12:48:13,300 fail2ban.jail           [1460]: INFO    Initiated 'polling' backend
2017-11-04 12:48:13,303 fail2ban.actions        [1460]: INFO    Set banTime = 300
2017-11-04 12:48:13,304 fail2ban.filter         [1460]: INFO    Set findtime = 300
2017-11-04 12:48:13,306 fail2ban.filter         [1460]: INFO    Added logfile = /var/log/apache2/access.log
2017-11-04 12:48:13,308 fail2ban.filter         [1460]: INFO    Added logfile = /var/log/apache2/other_vhosts_access.log
2017-11-04 12:48:13,309 fail2ban.filter         [1460]: INFO    Set jail log file encoding to UTF-8
2017-11-04 12:48:13,310 fail2ban.filter         [1460]: INFO    Set maxRetry = 300

2017-11-04 12:48:14,411 fail2ban.action         [1460]: ERROR   iptables -w -N f2b-Http-Get-Dos
iptables -w -A f2b-Http-Get-Dos -j RETURN
iptables -w -I INPUT -p tcp --dport http,https -j f2b-Http-Get-Dos -- stdout: b''
2017-11-04 12:48:14,441 fail2ban.action         [1460]: ERROR   iptables -w -N f2b-Http-Get-Dos
iptables -w -A f2b-Http-Get-Dos -j RETURN
iptables -w -I INPUT -p tcp --dport http,https -j f2b-Http-Get-Dos -- stderr: b"iptables v1.6.0: invalid port/service `http,https' specified\nTry `iptables -h' or 'iptables --help' for more information.\n"
2017-11-04 12:48:14,458 fail2ban.action         [1460]: ERROR   iptables -w -N f2b-Http-Get-Dos
iptables -w -A f2b-Http-Get-Dos -j RETURN
iptables -w -I INPUT -p tcp --dport http,https -j f2b-Http-Get-Dos -- returned 2
2017-11-04 12:48:14,463 fail2ban.actions        [1460]: ERROR   Failed to start jail 'http-get-dos' action 'iptables': Error starting action
2017-11-04 12:48:20,150 fail2ban.jail           [1460]: INFO    Jail 'http-get-dos' started

It appears that the action part of the jail is causing an issue, however I don't understand why. The action is similar to that used by other jails.

Any ideas how I can resolve this to get the jail running properly?

Phill Healey
  • 265
  • 3
  • 15

1 Answers1

1

I don't have enough reputation to comment, so I'll post as an answer here.

It looks as if this line:

action = iptables[name=Http-Get-Dos, port="http,https"]

is passing variables to iptables, and as a result of the port="http,https" you're specifying two destination ports in a single iptables rule. I couldn't find any specific documentation on this, but it doesn't look right to me - I think that's the cause of the problem.

I think there should be separate actions for HTTP and HTTPS.

EDIT: I found some entries on google that use port="http,https" and they specify iptables-multiport instead of iptables. The iptables-multiport action seems to run iptables with --match multiport (described here), allowing you to specify more than one port at a time (see this Server Fault question). So I think the other solution would be using the iptables-multiport action.

ishigoya
  • 1,038
  • 6
  • 7
  • This appears to be a commonly applied "port" entry, and is even in use on other jails, which is why this is so confusing. – Phill Healey Nov 05 '17 at 15:57
  • @PhillHealey I've updated my answer – ishigoya Nov 05 '17 at 16:19
  • I was also wondering about this, but wasn't particularly successful in finding out what the difference between iptables & iptables multiport. Also, I was a little unsure due to this same jail being reported on numerous blogs. I guess it's another case of people blindly stealing from other blogs and trying to take credit for something that they have no idea about. Ill give multiport a shot. – Phill Healey Nov 05 '17 at 20:52
  • Yup, that appears to have fixed it, no errors reported so far and the jail appears to be up and running. Thanks! – Phill Healey Nov 05 '17 at 20:57