Fail2ban – Why Isn’t Fail2ban Regenerating Its Iptables Chains on Ubuntu 18.04

fail2banfirewalliptablesubuntu-18.04

At some point while running iptables -S on an Ubuntu 18.04.2 LTS system with Fail2ban installed, I noticed that the following lines were missing:

-N f2b-sshd
-A f2b-sshd -j RETURN

What command should I run to regenerate the f2b-sshd chain and all the rules associated with it? I tried running fail2ban-client restart, but this doesn't appear to have any effect.

Best Answer

Given a banaction of iptables-multiport in /etc/fail2ban/jail.conf or /etc/fail2ban/jail.local, it looks like Fail2ban will automatically regenerate the f2b-sshd chain when it bans an IP address—but no earlier. If you'd like to test this for yourself, try running the following command to manually ban an address (like this one from TEST-NET-1):

# fail2ban-client -vvv set sshd banip 192.0.2.0

This behavior appears to be new in Fail2ban v0.10, which now creates chains on demand the first time an IP address is banned by an iptables action.

Related Solutions

Ubuntu – Any non-custom way to manage iptables with fail2ban and libvirt+kvm

This is really old but for people who search and find this, fail2ban and like a lot of other utilities are very configurable. You can change your fail2ban action files like iptables-multiport.conf to call iptables and create chains in the way you want it.

eg.

actionstart = iptables -N fail2ban-<name>
          iptables -A fail2ban-<name> -j RETURN
          iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>

This creates a rule smack bang in your INPUT chain which is kind of ugly and unmanageable, but you can quite easily put it in one of your own chains in your control. You can create an INPUT filter which then has chains to other filters for fail2ban to keep all it's stuff out of your INPUT chain as below.

actionstart = iptables -N fail2ban-<name>
          iptables -A fail2ban-<name> -j RETURN
          iptables -I INPUT-FAIL2BAN -p <protocol> -m multiport --dports <port> -j fail2ban-<name>

The same goes for libvirt or Xen where there are scripts that are called to do the work. Xen for instance uses /etc/xen/scripts which you'll find the network-bridge and others where iptables is called. Design it as you want.and worst case, change the code. I for one use fail2ban to modify a central firewall so all servers are protected which means iptables on the local machine doesn't show the rules anyway.

Ubuntu iptables – Why Is iptables Not Blocking an IP Address?

The iptables -s output looks correct and I don't know how 80.82.70.239/32 is getting to any:80 on your server through the firewall. My first guess is that you have a proxy / load balancer in front of the server and Apache is logging the HTTP_X_FORWARDED_FOR header or what ever that is called. If that turns out to be the case you will have to move your firewall logic to the proxy / load balancer or down to the application level (Apache mathing the FORWARDED_FOR header and deny access.

Either way:

The next course of action that I would take, is to capture the output of iptables -s you posted above. Disable fail2ban and load the configuration with the fail2ban chain and IP address blocked into iptables.

But do so with the following as the first -A rule:

-A INPUT -p tcp --dport 80 -j LOG --log-prefix "HTTP: "

If you would feel better trapping 80 and 443 go for it. The thought is that the logs from the FIREWALL may show something we are missing if we pay attention to the packets from suspect sources.

Best Answer

Related Solutions

Ubuntu – Any non-custom way to manage iptables with fail2ban and libvirt+kvm

Ubuntu iptables – Why Is iptables Not Blocking an IP Address?

Either way:

Related Topic