1

I am running Ubuntu Linux 16.04 on a GCP Compute Engine VM instance. This is hosting a web server for a web application. I need feedback from the community about verification that what I have set up on Ubuntu Linux is correct and that I can verify that bad IP addresses are in fact getting blocked.

I have set up fail2ban and created the following jail:

#To stop DOS attack from remote host.    
[http-get-dos]
enabled = true
port = http,https
filter = http-get-dos
logpath = /var/log/apache*/access.log
maxretry = 1
findtime = 86400
bantime = -1
ignoreip = 111.222.333.12

# action = iptables[name=HTTP, port=http, protocol=tcp]
banaction=iptables-ipset-proto4

I have ipset and iptables configured as follows:

sudo iptables -I INPUT -m set --match-set f2b-http-get-dos src -j DROP
sudo iptables -I FORWARD -m set --match-set f2b-http-get-dos src -j DROP

When I query the ipset set name f2b-http-get-dos, I see numerous members listed. For example:

Name: f2b-http-get-dos    
Type: hash:ip    
Revision: 4    
Header: family inet hashsize 1024 maxelem 65536    
Size in memory: 3928    
References: 3    
Number of entries: 83    
Members:    
XX.XXX.XX.XX
XX.XXX.XX.XX

When I query iptables I see (excerpted):

sudo iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination    
DROP       all  --  anywhere             anywhere             match-set f2b-http-get-dos src        
REJECT     tcp  --  anywhere             anywhere             multiport dports http,https match-set f2b-http-get-dos src reject-with icmp-port-unreachable    
LOG        all  --  anywhere             anywhere             LOG level warning

Chain FORWARD (policy ACCEPT)    
target     prot opt source               destination    
DROP       all  --  anywhere             anywhere             match-set f2b-http-get-dos src

How do I know and confirm that the banned IP addresses that are listed in the set named in ipset are being firewalled by iptables? Does iptables write a log file that it maintains that tracks IP addresses it intercepted and blocked using a rule or finding the IP in an defined set name via ipset.

Pit
  • 184
  • 11
Jack Stein
  • 11
  • 3

3 Answers3

0

To check you setup you can configure logging of iptable actions. Keep in mind, when a rule matches in iptables and the target is DROP or REJECT, that action is taken and processing stops. If you want to have a LOG rule, it must come before you DROP or REJECT a packet. You can try to configure a rule like this:

-I INPUT -m set --match-set f2b-http-get-dos src -j LOG

before your DROP rule:

-I INPUT -m set --match-set f2b-http-get-dos src -j DROP

Here you can find similar question.

As an alternative solution you can try to use Cloud Armor WAF which provides built-in defenses against L3 and L4 DDoS attacks, IP-based and geo-based access control and more.

Serhii Rohoza
  • 1,354
  • 2
  • 4
  • 14
0

You can see logs generated by kernel in /var/log/kern.log

or you could filter them with grep:

# iptables -L INPUT -v -n | grep "1.2.3.4"
Pit
  • 184
  • 11
0

You can use ipset -L to see the list of banned IP addresses (added by fail2ban).

Example:

root@server:/# ipset -L
Name: f2b-sshd
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 184
References: 1
Number of entries: 2
Members:
XXX.XXX.XXX.XXX
YYY.YYY.YYY.YYY
John Bob Joe
  • 1
  • 2