Originally Posted by falko
I think you can configure fail2ban to not use iptables.
I think fail2ban should actually be working fine.
As a workaround, I made the following changes in /etc/fail2ban/action.d/iptables-multiport.conf
#actionstart = iptables -N fail2ban-<name>
# iptables -A fail2ban-<name> -j RETURN
# iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
#actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
# iptables -F fail2ban-<name>
# iptables -X fail2ban-<name>
#actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
actionban = php -f /etc/fail2ban/firewallapi.php add INPUT "<ip>" DROP
#actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
actionunban = php -f /etc/fail2ban/firewallapi.php delete INPUT "<ip>" DROP
#actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
So basically, everything is commented out
and the actionban
are handled by a PHP-script
which queries against the vServer-API. These changes were recommended by my hosting provider.
After changing it as shown above, fail2ban was able to start again
(I was getting a 300 error before). Here's what /var/log/fail2ban.log
fail2ban.jail : INFO Creating new jail 'ssh'
fail2ban.filter : INFO Added logfile = /var/log/auth.log
fail2ban.jail : INFO Creating new jail 'pureftpd'
fail2ban.filter : INFO Added logfile = /var/log/syslog
fail2ban.jail : INFO Creating new jail 'dovecot-pop3imap'
fail2ban.filter : INFO Added logfile = /var/log/mail.log
fail2ban.jail : INFO Jail 'ssh' started
fail2ban.jail : INFO Jail 'pureftpd' started
fail2ban.jail : INFO Jail 'dovecot-pop3imap' started
So fail2ban seems to be running correctly, BUT
: It doesn't seem to care about the filters, because nothing happens (and nothing is logged)
even when I try to provoke a ban on purpose. And I suppose it has something to do with ISPConfig endlessly reporting that one error over and over again in /var/log/ispconfig/cron.log:
iptables v1.4.12: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
ip6tables v1.4.12: can't initialize ip6tables table `filter': Permission denied (you must be root)
Perhaps ip6tables or your kernel needs to be upgraded.
But if fail2ban is running, what else could be causing that error