Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 20th February 2013, 19:53
ispfan ispfan is offline
Junior Member
 
Join Date: Dec 2011
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
 
Unhappy fail2ban ignores its [default] jail.conf

This is more of a iptables+failban issue though, the more I look at it.

So I have ignoreip set to my ip block, client is 10.10.10.2, but iptables still doesn't let me get to http. The only thing working is ssh, and that's going through fail2ban as far as I can tell. Here's my jail.conf:
Code:
[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1 10.10.10.0/255

# "bantime" is the number of seconds that a host is banned.
bantime  = 3600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "inotify", "gamin", "polling" and "auto". This option can be
# overridden in each jail too (use "gamin" for a jail and "polling" for
# another).
#
# inotify: requires pyinotify and the a kernel supporting Inotify
# gamin:   requires Gamin (a file alteration monitor) to be installed. If Gamin
#          is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto:    will choose Inotify if pyinotify is present, if not then it will
# 	   try Gamin and use that if available, and polling otherwise.
backend = polling


# This jail corresponds to the standard configuration in Fail2ban 0.6.
# The mail-whois action send a notification e-mail with a whois request
# in the body.
Then I have the following for iptables:
Code:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [12:1104]
:fail2ban-BadBots - [0:0]
:fail2ban-SSH - [0:0]
#-A INPUT -m state --state NEW -j LOG --log-level warning --log-prefix "BLOCK "
-A INPUT -p tcp -m multiport --dports 80,443 -j LOG --log-level warning --log-prefix "HTTP PORT ACTIVITY: "
#-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-BadBots 
-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH 
-A INPUT -m geoip  --source-country CN -j DROP 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j fail2ban-BadBots 
-A INPUT -j REJECT --reject-with icmp-host-prohibited
#-A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT 
#-A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT 
-A fail2ban-BadBots -j RETURN 
-A fail2ban-SSH -j RETURN 
COMMIT
So, given I'm a complete noob at it, iptables says to me that it filters port 22 via fail2ban. Then further down, it simply accepts any new connections on port 22, and does not bother fail2ban with that. The line that has port 80 will not work via fail2ban, it's as if the service is unresponsive or simply is on a ban frenzy. Here's what fail2ban has in its jail.conf about that:
Code:
# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.

[apache-badbots]

enabled  = true
filter   = apache-badbots
action   = iptables-multiport[name=BadBots, port="80,443"]
           sendmail-buffered[name=BadBots, lines=5, dest=stripped@emailandhost.com]
logpath  = /var/www/*/logs/access_log
bantime  = 172800
maxretry = 1
And here's the output of that logging line, when I try to access that machine via HTTP:
Code:
Feb 20 13:37:26 host2 kernel: HTTP PORT ACTIVITY: IN=eth0 OUT= MAC=00:e0:XX:8e:d5:XX:30:85:XX:e8:5c:XX:08:00 SRC=10.10.10.1 DST=10.10.10.10 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=52552 DF PROTO=TCP SPT=63608 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Any help would be appreciated. Thank you!
Reply With Quote
Sponsored Links
Reply

Bookmarks

Tags
fail2ban, iptables, random

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Help with Fail2ban florix.net Installation/Configuration 4 26th January 2011 00:53
fail2ban is doing nothing? rlischer Server Operation 16 29th June 2010 07:29
Fail2Ban fails to ban :-) Wandering-Aimlessly Installation/Configuration 14 18th August 2009 16:37
Need help with fail2ban on centos 5.3 rlischer Installation/Configuration 3 14th August 2009 11:47
Fail2Ban not banning? tristanlee85 Server Operation 4 15th October 2008 13:44


All times are GMT +2. The time now is 05:55.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.