Fail2ban ufw action does not run when monitoring, but works for manual ban

fail2banufw

I'm using fail2ban 0.9.3 on Ubuntu 16.04. My jail.local looks like this:

[DEFAULT]

banaction = ufw

[apache-post]
enabled = true
filter = apache-post
port = http,https
logpath  = /var/log/apache2/other_vhosts_access.log
maxretry = 20
bantime = 3600

I'm running fail2ban 0.9.3 on ubuntu 16.04.

I have a custom ufw action defined as follows:

[Definition]
actionstart =
actionstop =
actioncheck =
actionban = ufw insert 1 deny from <ip>
actionunban = ufw delete deny from <ip>

(This is different from the one that comes with fail2ban in that is just blocks the IP on all ports).

The action works – if I do fail2ban-client set apache-post banip 10.0.0.1 and then check ufw status, the IP is banned:

To                         Action      From
--                         ------      ----
Anywhere                   DENY        10.0.0.1

But when the server is then restarted and running, there is a problem. fail2ban is correctly monitoring the logs and initiating bans, but the IPs are not being banned in ufw. Here is a log sample:

2018-10-09 14:00:57,679 fail2ban.actions        [31576]: NOTICE  [apache-post] Ban 10.0.5.2
2018-10-09 14:01:02,897 fail2ban.actions        [31576]: NOTICE  [apache-post] 10.0.5.2 already banned
2018-10-09 14:01:07,903 fail2ban.actions        [31576]: NOTICE  [apache-post] 10.0.5.2 already banned
2018-10-09 14:01:12,908 fail2ban.actions        [31576]: NOTICE  [apache-post] 10.0.5.2 already banned
2018-10-09 14:01:17,914 fail2ban.actions        [31576]: NOTICE  [apache-post] 10.0.5.2 already banned

If I check ufw status then the IP has not been banned – so clearly the action hasn't actually been executed, but fail2ban thinks it has.

If I restart the fail2ban server at this point, then it will check the recent logs and successfully ban the IP – i.e., when it performs actions on restart, the ufw action is correctly executed. Similarly if I manually run a banip command then the IP is correctly banned. But the bans from monitoring of logs don't work.

I'm stumped as to why it works manually, but not in normal operation. How do I debug this?

UFW is running:

> sudo ufw status
Status: active

And checking the status of the jail shows that it is active, and it thinks it has banned the IPs:

Status for the jail: apache-post
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     643
|  `- File list:        /var/log/apache2/other_vhosts_access.log
`- Actions
   |- Currently banned: 9
   |- Total banned:     11
   `- Banned IP list:   10.0.5.2 (and more)

Best Answer

Have you confirmed that ufw is in fact running? E.g. on my Ubuntu installations, that requires setting 'enabled=YES' in /etc/ufw/ufw.conf in order to get ufw to start at boot. On Ubuntu 16.04 it's off by default.

I gather you're saying that you replaced the default /etc/fail2ban/action.d/ufw.conf? Why? Does your recipe work with the original version?

What does fail2ban status <JAIL> show you?

Related Solutions

Ubuntu – fail2ban cannot ban ip on all ports if it’s already banned for specific port

While fail2ban creates an iptables chain per service (eg fail2ban-ssh), the check for an existing ban is based on the IP address. A possibility to fix the problem is to make fail2ban unban an IP (ticket) if it is already in the banned-list just before it is going to ban it (again)

These actions happen in the python script located (when installed via apt-get install) in

/usr/share/fail2ban/server

edit the file actions.py, you should see the following code for the __checkban definition

def __checkBan(self):
        ticket = self.jail.getFailTicket()
        if ticket != False:
                aInfo = dict()
                bTicket = BanManager.createBanTicket(ticket)
                aInfo["ip"] = bTicket.getIP()
                aInfo["failures"] = bTicket.getAttempt()
                aInfo["time"] = bTicket.getTime()
                aInfo["matches"] = "".join(bTicket.getMatches())
                if self.__banManager.addBanTicket(bTicket):
                        logSys.warn("[%s] Ban %s" % (self.jail.getName(), aInfo["ip"]))
                        for action in self.__actions:
                                action.execActionBan(aInfo)
                        return True
                else:
                       logSys.warn("[%s] %s already banned" % (self.jail.getName(), aInfo["ip"]))
        return False

modify/replace the definition with

def __checkBan(self):
        ticket = self.jail.getFailTicket()
        if ticket != False:
                aInfo = dict()
                bTicket = BanManager.createBanTicket(ticket)
                aInfo["ip"] = bTicket.getIP()
                aInfo["failures"] = bTicket.getAttempt()
                aInfo["time"] = bTicket.getTime()
                aInfo["matches"] = "".join(bTicket.getMatches())
                # changes from here ...
                if not self.__banManager.addBanTicket(bTicket):
                        logSys.warn("[%s] first unban %s before ban" % (self.jail.getName(), aInfo["ip"]))
                        self.__unBan(ticket)
                        self.__banManager.addBanTicket(bTicket)
                logSys.warn("[%s] Ban %s" % (self.jail.getName(), aInfo["ip"]))
                for action in self.__actions:
                        action.execActionBan(aInfo)
                return True
                # else:
                #       logSys.warn("[%s] %s already banned" % (self.jail.getName(), 
                #                                                                                       aInfo["ip"]))
        #return False

and restart fail2ban (e.g. /etc/init.d/fail2ban restart) while it is probably not necessary...

Note: if you want to 'play around' with this, you can list the firewall (iptables) rules

iptables -L

and delete the rule that was created by fail2ban in order to access and force a "re-ban"

iptables -D fail2ban-ssh xxxx

where xxxx is the number of the rule in that chain from the list iptables -L fail2ban-ssh

Ubuntu – Fail2Ban Correctly Attempts to Ban IP but IP does not get banned – iptables chain exists but not working

The fail2ban chains are not correctly linked to your INPUT and OUTPUT chains. Please edit your question and provide output of:

iptables -n -L INPUT
iptables -n -L OUTPUT

and all fail2ban chains too, and I'll be able to be more precise.

Best Answer

Related Solutions

Ubuntu – fail2ban cannot ban ip on all ports if it’s already banned for specific port

Ubuntu – Fail2Ban Correctly Attempts to Ban IP but IP does not get banned – iptables chain exists but not working

Related Topic