Linux – Fix Fail2ban Not Correctly Modifying iptables

fail2baniptableslinuxlinux-networkingssh

I just installed fail2ban in NetinVM (a constellation of virtual machines inside a VM)

so far so good,
I install in a specific machine (10.5.1.13) where ssh is on 2222 (all on root)

From other machine (10.5.1.11) I repetitively ssh to that first one with wrong password.

fail2ban recognise the "attack" and said to ban the ip

fail2ban> status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 1
|  |- Total failed: 20
|  `- File list:    /var/log/auth.log
`- Actions
   |- Currently banned: 2
   |- Total banned: 2
   `- Banned IP list:   10.5.1.11

as I take a look into iptables:

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
f2b-sshd   tcp  --  anywhere             anywhere             multiport dports ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain f2b-sshd (1 references)
target     prot opt source               destination         
REJECT     all  --  dmzb.example.net     anywhere             reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere

this REJECT rule is added, and resolution of dmzb.emaple.net seems proper:

$ ping dmzb.example.net
PING dmzb.example.net (10.5.1.11) 56(84) bytes of data.
64 bytes from dmzb.example.net (10.5.1.11): icmp_seq=1 ttl=64 time=0.940 ms

and resolve the domain added into the iptables correctly to the "attacker" IP

nevertheless, I can still proceed with ssh trials from the "attacker" machine, getting the password request, and even entering if I put correct password.

update:
as suggested, tried 

$ iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
f2b-sshd   tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 22

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain f2b-sshd (1 references)
target     prot opt source               destination         
REJECT     all  --  10.5.1.11            0.0.0.0/0            reject-with icmp-port-unreachable
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

ip seems the correct one, still, banning is not being applied.

Best Answer

Inside your rule set you bind the fail2ban checking with port 22, but in the description you have written, that your ssh actually listens the port 2222. To check it start from iptables-save -c or iptables -L -n -v. Check the counters of the corresponded rules. Also, the tcpdump is also very helpful tool in your case.

Related Topic