0

I have fail2ban running on Ubuntu 16, with a few jails running.

One is http-get-dos:

Within jail.conf

[http-get-dos]
enabled = true
port = http,https
filter = http-get-dos
logpath = /var/log/apache2/access.log
maxretry = 100
findtime = 60
#ban for 5 minutes
bantime = 600
action = iptables[name=HTTP, port=http, protocol=tcp]

Filter file:

# Fail2Ban configuration file
[Definition]

# Option: failregex
# Note: This regex will match any GET entry in your logs, so basically all valid and not valid entries are a match.
# You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives.
failregex = ^<HOST> -.*"(GET|POST).*
# Option: ignoreregex
ignoreregex =

The jail within Fail2Ban seems to be working fine - I just tested it by hammering the URL, and my IP was added into the IP Tables.

However, I am not actually blocked - the IP Tables REJECT is not working it seems.

my.ip.address appears in IP Tables within Chain fail2ban-HTTP a REJECT, but I'm not rejected (can still access the site)

iptables -nvL --line-numbers

Chain INPUT (policy ACCEPT 2689 packets, 413K bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1       68  5849 fail2ban-HTTP  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
2     3104  575K fail2ban-apache-overflows  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443
3     3104  575K fail2ban-apache  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443
4      728 43824 fail2ban-ssh  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 3325 packets, 4380K bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain fail2ban-HTTP (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 REJECT     all  --  *      *       my.ip.address
     0.0.0.0/0            reject-with icmp-port-unreachable
2       68  5849 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-apache (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1     3104  575K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-apache-overflows (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1     3104  575K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-ssh (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1      728 43824 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

I'm wondering if it's an order problem - i.e. a global ACCEPT is trumping the fail2ban rule in IPTables. But if this is the problem, I don't know how to fix it, and why fail2ban didn't put it high enough in the first place.

Any advice, most appreciated.

rjbathgate
  • 75
  • 2
  • 11

1 Answers1

1

You are monitoring both http and https but banning only http using iptables action. Use iptables-multiport action and ban both http and https.

action = iptables-multiport[name=HTTP, port="http,https", protocol=tcp]
Ergec
  • 578
  • 1
  • 7
  • 25