fail2ban adds IP to iptables, blocking is not working though

kmeleon · February 3, 2022, 9:57am

Hello, I have problem on my leap machine with fail2ban. Failed login attempts are filling journal, so I decided to install fail2ban, but it does not work as expected, even though it seems to add rules to iptables, port is still reachable. I tried from outside, made 5 failed attempts, logged me, blocked me (actually only wrote it did), it added my ip correctly to iptables, but I can still connect from the blocked ip. What might be the cause? Is firewall-cmd interfering with iptables? I have sshd running on non standard port, if it could be problem? Thank you.

**server:~ #** firewall-cmd --stat 
running
**server:~ #** iptables -L -v -n 
Chain INPUT (policy ACCEPT 939 packets, 116K bytes) 
 pkts bytes target     prot opt in     out     source               destination          
    0     0 f2b-sshd   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) 
 pkts bytes target     prot opt in     out     source               destination          

Chain OUTPUT (policy ACCEPT 826 packets, 114K bytes) 
 pkts bytes target     prot opt in     out     source               destination          

Chain f2b-sshd (1 references) 
 pkts bytes target     prot opt in     out     source               destination          
    0     0 REJECT     all  --  *      *       85.184.70.58         0.0.0.0/0            reject-with icmp-port-unreachable 
   0     0 REJECT     all  --  *      *       92.246.16.39         0.0.0.0/0            reject-with icmp-port-unreachable 
    0     0 REJECT     all  --  *      *       188.75.134.126       0.0.0.0/0            reject-with icmp-port-unreachable 
    0     0 REJECT     all  --  *      *       120.221.150.207      0.0.0.0/0            reject-with icmp-port-unreachable 
    0     0 REJECT     all  --  *      *       139.59.56.121        0.0.0.0/0            reject-with icmp-port-unreachable 
    0     0 REJECT     all  --  *      *       125.76.246.23        0.0.0.0/0            reject-with icmp-port-unreachable 
    0     0 REJECT     all  --  *      *       189.79.242.92        0.0.0.0/0            reject-with icmp-port-unreachable 
    0     0 REJECT     all  --  *      *       89.186.30.23         0.0.0.0/0            reject-with icmp-port-unreachable 
    0     0 REJECT     all  --  *      *       190.46.15.201        0.0.0.0/0            reject-with icmp-port-unreachable 
    0     0 REJECT     all  --  *      *       128.199.127.217      0.0.0.0/0            reject-with icmp-port-unreachable 
    0     0 REJECT     all  --  *      *       43.229.225.236       0.0.0.0/0            reject-with icmp-port-unreachable 
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0  
[FONT=monospace]**server:~ #** cat /var/log/fail2ban.log | tail -n 30 
2022-02-03 09:49:17,303 fail2ban.filter         [32264]: INFO    [sshd] Found 85.184.70.58 - 2022-02-03 09:49:17 
2022-02-03 09:49:19,053 fail2ban.filter         [32264]: INFO    [sshd] Found 161.132.96.90 - 2022-02-03 09:49:18 
2022-02-03 09:49:19,393 fail2ban.actions        [32264]: WARNING [sshd] 161.132.96.90 already banned 
2022-02-03 09:49:21,802 fail2ban.filter         [32264]: INFO    [sshd] Found 92.246.16.39 - 2022-02-03 09:49:21 
2022-02-03 09:49:24,302 fail2ban.filter         [32264]: INFO    [sshd] Found 85.184.70.58 - 2022-02-03 09:49:23 
2022-02-03 09:49:26,037 fail2ban.filter         [32264]: INFO    [sshd] Found 161.132.96.90 - 2022-02-03 09:49:25 
2022-02-03 09:49:26,038 fail2ban.filter         [32264]: INFO    [sshd] Found 85.184.70.58 - 2022-02-03 09:49:26 
2022-02-03 09:49:28,551 fail2ban.filter         [32264]: INFO    [sshd] Found 161.132.96.90 - 2022-02-03 09:49:28 
2022-02-03 09:49:32,551 fail2ban.filter         [32264]: INFO    [sshd] Found 85.184.70.58 - 2022-02-03 09:49:32 
2022-02-03 09:49:32,619 fail2ban.actions        [32264]: WARNING [sshd] 85.184.70.58 already banned 
2022-02-03 09:49:34,758 fail2ban.filter         [32264]: INFO    [sshd] Found 85.184.70.58 - 2022-02-03 09:49:34 
2022-02-03 09:49:37,052 fail2ban.filter         [32264]: INFO    [sshd] Found 161.132.96.90 - 2022-02-03 09:49:36 
2022-02-03 09:49:41,052 fail2ban.filter         [32264]: INFO    [sshd] Found 85.184.70.58 - 2022-02-03 09:49:40 
2022-02-03 09:49:42,387 fail2ban.filter         [32264]: INFO    [sshd] Found 85.184.70.58 - 2022-02-03 09:49:42 
2022-02-03 09:49:43,551 fail2ban.filter         [32264]: INFO    [sshd] Found 161.132.96.90 - 2022-02-03 09:49:43 
2022-02-03 09:49:43,839 fail2ban.actions        [32264]: WARNING [sshd] 161.132.96.90 already banned 
2022-02-03 09:49:45,553 fail2ban.filter         [32264]: INFO    [sshd] Found 161.132.96.90 - 2022-02-03 09:49:45 
2022-02-03 09:49:49,553 fail2ban.filter         [32264]: INFO    [sshd] Found 85.184.70.58 - 2022-02-03 09:49:49 
2022-02-03 09:49:49,855 fail2ban.actions        [32264]: WARNING [sshd] 85.184.70.58 already banned 
2022-02-03 09:49:52,303 fail2ban.filter         [32264]: INFO    [sshd] Found 161.132.96.90 - 2022-02-03 09:49:51 
2022-02-03 09:49:54,052 fail2ban.filter         [32264]: INFO    [sshd] Found 161.132.96.90 - 2022-02-03 09:49:53 
2022-02-03 09:49:54,552 fail2ban.filter         [32264]: INFO    [sshd] Found 92.246.16.39 - 2022-02-03 09:49:54 
2022-02-03 09:49:55,072 fail2ban.actions        [32264]: WARNING [sshd] 92.246.16.39 already banned 
2022-02-03 09:49:55,303 fail2ban.filter         [32264]: INFO    [sshd] Found 85.184.70.58 - 2022-02-03 09:49:55 
2022-02-03 09:49:56,802 fail2ban.filter         [32264]: INFO    [sshd] Found 92.246.16.39 - 2022-02-03 09:49:56 
2022-02-03 09:49:57,802 fail2ban.filter         [32264]: INFO    [sshd] Found 85.184.70.58 - 2022-02-03 09:49:57 
2022-02-03 09:50:00,762 fail2ban.filter         [32264]: INFO    [sshd] Found 161.132.96.90 - 2022-02-03 09:50:00 
2022-02-03 09:50:01,088 fail2ban.actions        [32264]: WARNING [sshd] 161.132.96.90 already banned 
2022-02-03 09:50:03,259 fail2ban.filter         [32264]: INFO    [sshd] Found 161.132.96.90 - 2022-02-03 09:50:02 
2022-02-03 09:50:03,260 fail2ban.filter         [32264]: INFO    [sshd] Found 85.184.70.58 - 2022-02-03 09:50:03
[/FONT]

arvidjaar · February 3, 2022, 8:05pm

Your IP tables rules apply to destination port 22 only.

JulinaB · February 4, 2022, 12:56pm

/etc/fail2ban/jail.conf has the following in it:


[sshd]

# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode   = normal
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

As @arvidjaar said and you can see the only port that is blocked is ssh or 22.

You need to modify jail.local (modify this and your changes will not get overwritten by updates) and I think you can simply add this code to the file:


[FONT=Verdana][sshd]port = ##
[FONT=&quot]

Where ## is the port you are using.

[/FONT]
[/FONT]

JulinaB · February 4, 2022, 5:14pm

That didn’t format correctly! Try:


[sshd]
port = ##

Where ## is the port you are using.

kmeleon · February 10, 2022, 10:47am

Hi and thank you both for help and pointing me to the right direction. It was indeed the different port. I’m not sure, if I needed also to add enabled=true, or reload, or restart, some steps might have been redundant, but this actually helped:

[FONT=monospace]**server:~ #** cat /etc/fail2ban/jail.local 
# Do all your modifications to the jail's configuration in jail.local! 
[sshd] 
enabled = true 
port = 22222
**server:~ #**[FONT=monospace] systemctl reload fail2ban
[FONT=monospace][FONT=monospace]**server:~ #**[FONT=monospace] systemctl restart fail2ban
[/FONT][/FONT][/FONT][/FONT][/FONT]

[FONT=monospace][FONT=monospace]
[/FONT][/FONT]Now it blocks correctly. I’d mark this thread as solved, but I don’t know how to do that. It looks I cannot even edit the subject to add [solved].