linux - fail2ban keeps saying already banned but it didn't actually ban - Unix & Linux Stack Exchange

14383 shaares
5331 private links

14383 shaares · 5331 private links

Filters

Links per page

20 50 100

linux - fail2ban keeps saying already banned but it didn't actually ban - Unix & Linux Stack Exchange

First, a mini-primer on iptables.

iptables is both a command and the name of the Linux firewall subsystem. The command is used to set up firewall rules in RAM. The iptables firewall rules are arranged first into tables: there is the default filter table, but also nat, mangle, raw and security tables, for various purposes. fail2ban is doing traffic filtering, so it uses the filter table.

The tables are then further divisible into filter chains. Each table has certain standard chains: for the filter table, the standard chains are INPUT, FORWARD and OUTPUT. The FORWARD chain is only used when the system is configured to route traffic for other systems. The INPUT chain deals with incoming traffic to this system.

If fail2ban added its rules directly to the INPUT chain and wiped that chain clean when all the bans expired, then you would have to turn over full control of your firewall input rules to fail2ban - you could not easily have any custom firewall rules in addition to what fail2ban does. This is clearly not desirable, so fail2ban won't do that.

Instead, fail2ban creates its own filter chain it can fully manage on its own, and adds on start-up a single rule to the INPUT chain to send any matching traffic to be processed through fail2ban's chain.

For example, when configured to protect sshd, fail2ban should be executing these commands at start-up:

 iptables -N f2b-sshd
 iptables -A f2b-sshd -j RETURN
 iptables -I INPUT -p tcp -m multiport --dports <TCP ports configured for sshd protection> -j f2b-sshd

These commands create a f2b-sshd filter chain, set RETURN as its last rule (so that when any fail2ban rules have been processed, the normal processing of INPUT rules will continue as without fail2ban, and finally, add a rule to the beginning of the INPUT table to catch any SSH traffic and send it first to the f2b-sshd chain.

Now, when fail2ban needs to ban an IP address for SSH use, it will just insert a new rule to the f2b-sshd chain.

If you are using firewalld or some other system that manages iptables firewall rules for you, or if you clear all the iptables rules manually, then these initial rules, and possibly the entire f2b-sshd filter chain, may be wiped out. You should make sure that any firewall management tool you might be using maintains that initial rule in the INPUT chain and doesn't touch the f2b-sshd chain at all.

linux · firewall

June 21, 2022 at 5:54:31 PM UTC * · permalink

https://unix.stackexchange.com/questions/433043/fail2ban-keeps-saying-already-banned-but-it-didnt-actually-ban

Filters

Links per page

20 50 100