Using Ubuntu 20.04 LTS, I have this in /etc/fail2ban/jail.local:
[DEFAULT]
bantime = 3600
banaction = iptables
blocktype = drop
[sshd]
enabled = true
protocol = tcp
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
But this is what I see when I list iptables rules:
╰─# iptables -L f2b-sshd -n -v
Chain f2b-sshd (1 references)
pkts bytes target prot opt in out source destination
13 1356 REJECT all -- * * 222.187.232.205 0.0.0.0/0 reject-with icmp-port-unreachable
18 1516 REJECT all -- * * 221.181.185.153 0.0.0.0/0 reject-with icmp-port-unreachable
17 1064 REJECT all -- * * 222.186.180.130 0.0.0.0/0 777 55854 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
The problem is that it uses REJECT (with ICMP) instead of DROP.
The action.d/iptables.conf contains this:
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
It is the default iptables action file, shipped with the official fail2ban apt package for this OS version.
Also tried to add "blocktype=drop" under [sshd] but it has no effect.
I'm not sure how to debug this, because the fail2ban service does not log the actual iptables commands.
What am I missing?
Best Answer
To supply some parameter to the action of single jail, you must set
actionwith all parameters (also normally supplied in default section ofjail.conf) or in case of banning action you could use something like that:As regards the theme DROP vs. REJECT, the discussion is so old as the net-filter subsystem itself, with many pros/cons for both sides.
Related to banning concerns, see https://github.com/fail2ban/fail2ban/issues/2217#issuecomment-423248516 for details.