Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

fail2ban + iptables "already banned"
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Philippe23
Tux's lil' helper
Tux's lil' helper


Joined: 20 Dec 2006
Posts: 130
Location: Central NY
PostPosted: Sat Mar 01, 2014 6:32 pm    Post subject: fail2ban + iptables "already banned" Reply with quote
Hey, I'm looking for suggestions of what I might have misconfigured. I get a fair amount of these from fail2ban:
Quote:
Feb 28 12:15:01 localhost fail2ban.actions[4327]: INFO [sasl-iptables] 49.48.2.132 already banned
Feb 28 12:50:50 localhost fail2ban.actions[4327]: INFO [sasl-iptables] 113.193.130.89 already banned
Feb 28 18:46:56 localhost fail2ban.actions[4327]: INFO [courier-iptables] 95.163.107.210 already banned
I get them for pretty much all of my jail rules. Here's my jail.local, minus the comments:
Quote:
[DEFAULT]
ignoreip = 127.0.0.1
bantime = 28800
findtime = 600
maxretry = 10
backend = auto

[postfix-iptables]
enabled = true
filter = postfix
action = iptables[name=POSTFIX,port=smtp]
iptables[name=POSTFIX,port=submission]
iptables[name=POSTFIX,port=smtps]
sendmail-geoip[name=POSTFIX,dest=fail2ban@XXX.com]
logpath = /var/log/messages
maxretry = 9

[sasl-iptables]
enabled = true
filter = postfix-sasl
action = iptables[name=POSTFIX-SASL,port=smtp]
iptables[name=POSTFIX-SASL,port=submission]
iptables[name=POSTFIX-SASL,port=smtps]
sendmail-geoip[name=POSTFIX-SASL,dest=fail2ban@XXX.com]
logpath = /var/log/messages
maxretry = 9

[courier-iptables]
enabled = true
filter = courierlogin
action = iptables[name=COURIER,port=imap]
iptables[name=COURIER,port=imaps]
iptables[name=COURIER,port=pop3]
iptables[name=COURIER,port=pop3s]
sendmail-geoip[name=COURIER,dest=fail2ban@XXX.com]
logpath = /var/log/messages
maxretry = 9
And my iptables INPUT chain:
Quote:
Chain INPUT (policy DROP)
target prot opt source destination
fail2ban-COURIER tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:995
fail2ban-POSTFIX tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:465
fail2ban-POSTFIX-SASL tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:465
fail2ban-COURIER tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:995
fail2ban-POSTFIX tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:465
fail2ban-POSTFIX-SASL tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:465
dolts all -- 0.0.0.0/0 0.0.0.0/0
REJECT all -- 169.254.0.0/16 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 172.16.0.0/12 0.0.0.0/0 reject-with icmp-port-unreachable
...
Anybody see what I'm missing?
Back to top
View user's profile Send private message
666threesixes666
Veteran
Veteran


Joined: 31 May 2011
Posts: 1248
Location: 42.68n 85.41w
PostPosted: Sat Mar 01, 2014 6:55 pm    Post subject: Reply with quote
your perception is what is off..... the ip is already banned, and they are attacking more, and fail2ban is trying to ban them again but they are already banned.
Back to top
View user's profile Send private message
Philippe23
Tux's lil' helper
Tux's lil' helper


Joined: 20 Dec 2006
Posts: 130
Location: Central NY
PostPosted: Sat Mar 01, 2014 7:19 pm    Post subject: Reply with quote
That sure makes it sound like something is wrong, since they shouldn't be able to try again ... they're banned. It appears the ban is not being very effective for some reason in my setup.
Back to top
View user's profile Send private message
666threesixes666
Veteran
Veteran


Joined: 31 May 2011
Posts: 1248
Location: 42.68n 85.41w
PostPosted: Sat Mar 01, 2014 7:45 pm    Post subject: Reply with quote
mmmm this brings up the point that our fail2ban wiki article need sites to provide test attacks..... you fix it, im sick of fixing that thing...
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 21593
PostPosted: Sat Mar 01, 2014 8:40 pm    Post subject: Reply with quote
If you suspect something is wrong with your filter rules, then please show them. Use iptables-save -c.
Back to top
View user's profile Send private message
Philippe23
Tux's lil' helper
Tux's lil' helper


Joined: 20 Dec 2006
Posts: 130
Location: Central NY
PostPosted: Sun Mar 02, 2014 12:46 am    Post subject: Reply with quote
I think I figured it out. Since I had multiple iptables actions for each rule, but they all had the same name, but different ports. I think that was causing only the first (or last) being created. I switched to iptables-multiport instead. I'm going to see how that goes.
Back to top
View user's profile Send private message
Philippe23
Tux's lil' helper
Tux's lil' helper


Joined: 20 Dec 2006
Posts: 130
Location: Central NY
PostPosted: Fri Mar 21, 2014 12:14 pm    Post subject: Reply with quote
Yeah, that seemed to have fixed it. I haven't had an already banned message since I made the change 20+ days ago.
Back to top
View user's profile Send private message
666threesixes666
Veteran
Veteran


Joined: 31 May 2011
Posts: 1248
Location: 42.68n 85.41w
PostPosted: Fri Mar 21, 2014 5:56 pm    Post subject: Reply with quote
migrate to sshguard, fail2ban is producing false negatives..... i made a wiki of sshguard

https://wiki.gentoo.org/wiki/Sshguard
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy