fail2ban ignores its [default] jail.conf

Discussion in 'Server Operation' started by ispfan, Feb 20, 2013.

  1. ispfan

    ispfan New Member

    This is more of a iptables+failban issue though, the more I look at it.

    So I have ignoreip set to my ip block, client is, but iptables still doesn't let me get to http. The only thing working is ssh, and that's going through fail2ban as far as I can tell. Here's my jail.conf:
    # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
    # ban a host which matches an address in this list. Several addresses can be
    # defined using space separator.
    ignoreip =
    # "bantime" is the number of seconds that a host is banned.
    bantime  = 3600
    # A host is banned if it has generated "maxretry" during the last "findtime"
    # seconds.
    findtime  = 600
    # "maxretry" is the number of failures before a host get banned.
    maxretry = 3
    # "backend" specifies the backend used to get files modification. Available
    # options are "inotify", "gamin", "polling" and "auto". This option can be
    # overridden in each jail too (use "gamin" for a jail and "polling" for
    # another).
    # inotify: requires pyinotify and the a kernel supporting Inotify
    # gamin:   requires Gamin (a file alteration monitor) to be installed. If Gamin
    #          is not installed, Fail2ban will use polling.
    # polling: uses a polling algorithm which does not require external libraries.
    # auto:    will choose Inotify if pyinotify is present, if not then it will
    # 	   try Gamin and use that if available, and polling otherwise.
    backend = polling
    # This jail corresponds to the standard configuration in Fail2ban 0.6.
    # The mail-whois action send a notification e-mail with a whois request
    # in the body.
    Then I have the following for iptables:
    :INPUT ACCEPT [0:0]
    :OUTPUT ACCEPT [12:1104]
    :fail2ban-BadBots - [0:0]
    :fail2ban-SSH - [0:0]
    #-A INPUT -m state --state NEW -j LOG --log-level warning --log-prefix "BLOCK "
    -A INPUT -p tcp -m multiport --dports 80,443 -j LOG --log-level warning --log-prefix "HTTP PORT ACTIVITY: "
    #-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-BadBots 
    -A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH 
    -A INPUT -m geoip  --source-country CN -j DROP 
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
    -A INPUT -p icmp -j ACCEPT 
    -A INPUT -i lo -j ACCEPT 
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j fail2ban-BadBots 
    -A INPUT -j REJECT --reject-with icmp-host-prohibited
    #-A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT 
    #-A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT 
    -A fail2ban-BadBots -j RETURN 
    -A fail2ban-SSH -j RETURN 
    So, given I'm a complete noob at it, iptables says to me that it filters port 22 via fail2ban. Then further down, it simply accepts any new connections on port 22, and does not bother fail2ban with that. The line that has port 80 will not work via fail2ban, it's as if the service is unresponsive or simply is on a ban frenzy. Here's what fail2ban has in its jail.conf about that:
    # Ban hosts which agent identifies spammer robots crawling the web
    # for email addresses. The mail outputs are buffered.
    enabled  = true
    filter   = apache-badbots
    action   = iptables-multiport[name=BadBots, port="80,443"]
               sendmail-buffered[name=BadBots, lines=5, [email protected]]
    logpath  = /var/www/*/logs/access_log
    bantime  = 172800
    maxretry = 1
    And here's the output of that logging line, when I try to access that machine via HTTP:
    Feb 20 13:37:26 host2 kernel: HTTP PORT ACTIVITY: IN=eth0 OUT= MAC=00:e0:XX:8e:d5:XX:30:85:XX:e8:5c:XX:08:00 SRC= DST= LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=52552 DF PROTO=TCP SPT=63608 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
    Any help would be appreciated. Thank you!

Share This Page