Iptables – Fail2Ban – IP Tables REJECT not banning

fail2baniptablesubuntu-16.04

I have fail2ban running on Ubuntu 16, with a few jails running.

One is http-get-dos:

Within jail.conf

[http-get-dos]
enabled = true
port = http,https
filter = http-get-dos
logpath = /var/log/apache2/access.log
maxretry = 100
findtime = 60
#ban for 5 minutes
bantime = 600
action = iptables[name=HTTP, port=http, protocol=tcp]

Filter file:

# Fail2Ban configuration file
[Definition]

# Option: failregex
# Note: This regex will match any GET entry in your logs, so basically all valid and not valid entries are a match.
# You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives.
failregex = ^<HOST> -.*"(GET|POST).*
# Option: ignoreregex
ignoreregex =

The jail within Fail2Ban seems to be working fine – I just tested it by hammering the URL, and my IP was added into the IP Tables.

However, I am not actually blocked – the IP Tables REJECT is not working it seems.

my.ip.address appears in IP Tables within Chain fail2ban-HTTP a REJECT, but I'm not rejected (can still access the site)

iptables -nvL –line-numbers

Chain INPUT (policy ACCEPT 2689 packets, 413K bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1       68  5849 fail2ban-HTTP  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
2     3104  575K fail2ban-apache-overflows  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443
3     3104  575K fail2ban-apache  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443
4      728 43824 fail2ban-ssh  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 3325 packets, 4380K bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain fail2ban-HTTP (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 REJECT     all  --  *      *       my.ip.address
     0.0.0.0/0            reject-with icmp-port-unreachable
2       68  5849 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-apache (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1     3104  575K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-apache-overflows (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1     3104  575K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-ssh (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1      728 43824 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

I'm wondering if it's an order problem – i.e. a global ACCEPT is trumping the fail2ban rule in IPTables. But if this is the problem, I don't know how to fix it, and why fail2ban didn't put it high enough in the first place.

Any advice, most appreciated.

Best Answer

You are monitoring both http and https but banning only http using iptables action. Use iptables-multiport action and ban both http and https.

action = iptables-multiport[name=HTTP, port="http,https", protocol=tcp]

Best Answer

Related Solutions

Iptables – Firewall still blocking port 53 despite listing otherwise

Iptables on CentOS 5.5; I want to allow snmp queries from a remote machine

Related Topic