Linux – Debian with iptables and fail2ban not ban IP

debianfail2baniptableslinux

I have server with Debian 9.
I have installed fail2ban and configured it. It work with sshd (ban IP on failed logins) but i can't make it work with apache-auth (IP is ban but iptables don't block it).

jail.local look like:

[DEFAULT]
bantime  = 720h
findtime  = 60m
banaction = iptables
mta = sendmail
destemail = my-email@example.com
action = %(action_mw)s
maxretry = 2

[sshd]
enabled = true

[apache-auth]
enabled = true

When i run compand:

fail2ban-client status sshd

it show banned IP.
When i run command:

iptables -L -n

It show IPs from previous command. So it's working correct.

When i run:

fail2ban-client status apache-auth

It show ban IP (me).

iptables -L -n

Don't show any IP from previous list.
Can be important iptables shows:

Chain f2b-apache-auth (0 references)

And i still can connect to server via WWW. Exactly same issue i had with nginx so i switched to apache, i was thinking this will solve my issue.

Best Answer

My jail.conf part for apache looks a bit different

[apache]
enabled  = true
port     = http,https
filter   = apache-auth
logpath  = /var/log/apache*/*error.log
maxretry = 6

You can find the loaded configuration with

fail2ban-client -d

You said you are testing locally. Make sure your IP not in the netmask given in ignoreip.

As the action is probably triggered in your case have a look for the entry actionban there and see if it actually adds the desired iptables rule.

Maybe var/log/fail2ban.log has more information?

Related Solutions

Ubuntu – fail2ban not working on fresh install of ubuntu 14.04, why

not sure if related but I deleted and recreated /var/log/auth.log, because I needed to empty it, to debug the situation

This could well be the problem. It's likely that the syslog daemon is still writing to the original fd. You should try restarting the syslog daemon to see if it starts to log to the correct file.

service rsyslog restart

Once you have messages going to the auth.log it should start working.

Ftp – Fail2ban does not ban any ip-adresses with vsftpd

vsftpd.log deny log looks like:

Wed Jun 29 14:57:37 2016 [pid 2517] [username] FTP response: Client "::ffff:192.168.0.100", "530 Permission denied."

and the default failregex WHICH isn't working in fail2ban config file located "/etc/fail2ban/filter.d/vsftpd.conf" looks like

failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
            ^ \[pid \d+\] \[.+\] FAIL LOGIN: Client "<HOST>"\s*$

So you need to change failregex to the following to get it working with vsftpd

failregex = ^%(__prefix_line)s%(__pam_re)s\s+Permission denied; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
            ^ \[pid \d+\] \[.+\]\s+FTP response: Client "::ffff:<HOST>",\s*"530 Permission denied\."\s*$

Checked on Ubuntu with vsftpd: version 3.0.3

Best Answer

Related Solutions

Ubuntu – fail2ban not working on fresh install of ubuntu 14.04, why

Ftp – Fail2ban does not ban any ip-adresses with vsftpd

Related Topic