fail2ban not correctly modifying the iptables effectively?Debugger for Iptablesiptables port forward forwardingFirewall still blocking port 53 despite listing otherwise?iptables allow http incoming connections, state NEW, ESTABLISHEDForward http traffic to another ip address with iptablesTrying to make iptables stateless is causing unforeseen filteringIptables port forwarding for specific host dd-wrt/tomatoTunnel windows VPN through SSHfail2ban running on CentOS 7 & getting “ssh connection refused”iptables outgoing default policy is accept, but some ports appear blockedLinux firewalld - I can hit port 4506, but my configuration shouldn't let me
simple conditions equation
How exactly does Hawking radiation decrease the mass of black holes?
What does the "ep" capability mean?
Critique of timeline aesthetic
A Strange Latex Symbol
How to have a sharp product image?
Why does nature favour the Laplacian?
Please, smoke with good manners
What is the strongest case that can be made in favour of the UK regaining some control over fishing policy after Brexit?
Pulling the rope with one hand is as heavy as with two hands?
Will a top journal at least read my introduction?
Why isn't the definition of absolute value applied when squaring a radical containing a variable?
Why was Germany not as successful as other Europeans in establishing overseas colonies?
Does this extra sentence in the description of the warlock's Eyes of the Rune Keeper eldritch invocation appear in any official reference?
Unexpected email from Yorkshire Bank
How to get a plain text file version of a CP/M .BAS (M-BASIC) program?
Sci-fi book: portals appear in London and send a failed artist towards a designated path where he operate a giant superweapon
Pass By Reference VS Pass by Value
How would one muzzle a full grown polar bear in the 13th century?
Binary Numbers Magic Trick
What's the polite way to say "I need to urinate"?
How do Bards prepare spells?
How can I change the color of a part of a line?
What is the incentive for curl to release the library for free?
fail2ban not correctly modifying the iptables effectively?
Debugger for Iptablesiptables port forward forwardingFirewall still blocking port 53 despite listing otherwise?iptables allow http incoming connections, state NEW, ESTABLISHEDForward http traffic to another ip address with iptablesTrying to make iptables stateless is causing unforeseen filteringIptables port forwarding for specific host dd-wrt/tomatoTunnel windows VPN through SSHfail2ban running on CentOS 7 & getting “ssh connection refused”iptables outgoing default policy is accept, but some ports appear blockedLinux firewalld - I can hit port 4506, but my configuration shouldn't let me
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I just installed fail2ban in NetinVM (a constellation of virtual machines inside a VM)
so far so good,
I install in a specific machine (10.5.1.13) where ssh is on 2222 (all on root)
From other machine (10.5.1.11) I repetitively ssh to that first one with wrong password.
fail2ban recognise the "attack" and said to ban the ip
fail2ban> status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 1
| |- Total failed: 20
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 2
|- Total banned: 2
`- Banned IP list: 10.5.1.11
as I take a look into iptables:
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-sshd tcp -- anywhere anywhere multiport dports ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain f2b-sshd (1 references)
target prot opt source destination
REJECT all -- dmzb.example.net anywhere reject-with icmp-port-unreachable
RETURN all -- anywhere anywhere
this REJECT rule is added, and resolution of dmzb.emaple.net seems proper:
$ ping dmzb.example.net
PING dmzb.example.net (10.5.1.11) 56(84) bytes of data.
64 bytes from dmzb.example.net (10.5.1.11): icmp_seq=1 ttl=64 time=0.940 ms
and resolve the domain added into the iptables correctly to the "attacker" IP
nevertheless, I can still proceed with ssh trials from the "attacker" machine, getting the password request, and even entering if I put correct password.
update:
as suggested, tried
$ iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-sshd tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain f2b-sshd (1 references)
target prot opt source destination
REJECT all -- 10.5.1.11 0.0.0.0/0 reject-with icmp-port-unreachable
RETURN all -- 0.0.0.0/0 0.0.0.0/0
ip seems the correct one, still, banning is not being applied.
linux ssh iptables linux-networking fail2ban
asked Apr 20 at 20:22
pGrnd2pGrnd2
52
add a comment |
I just installed fail2ban in NetinVM (a constellation of virtual machines inside a VM)
so far so good,
I install in a specific machine (10.5.1.13) where ssh is on 2222 (all on root)
From other machine (10.5.1.11) I repetitively ssh to that first one with wrong password.
fail2ban recognise the "attack" and said to ban the ip
fail2ban> status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 1
| |- Total failed: 20
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 2
|- Total banned: 2
`- Banned IP list: 10.5.1.11
as I take a look into iptables:
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-sshd tcp -- anywhere anywhere multiport dports ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain f2b-sshd (1 references)
target prot opt source destination
REJECT all -- dmzb.example.net anywhere reject-with icmp-port-unreachable
RETURN all -- anywhere anywhere
this REJECT rule is added, and resolution of dmzb.emaple.net seems proper:
$ ping dmzb.example.net
PING dmzb.example.net (10.5.1.11) 56(84) bytes of data.
64 bytes from dmzb.example.net (10.5.1.11): icmp_seq=1 ttl=64 time=0.940 ms
and resolve the domain added into the iptables correctly to the "attacker" IP
nevertheless, I can still proceed with ssh trials from the "attacker" machine, getting the password request, and even entering if I put correct password.
update:
as suggested, tried
$ iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-sshd tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain f2b-sshd (1 references)
target prot opt source destination
REJECT all -- 10.5.1.11 0.0.0.0/0 reject-with icmp-port-unreachable
RETURN all -- 0.0.0.0/0 0.0.0.0/0
ip seems the correct one, still, banning is not being applied.
linux ssh iptables linux-networking fail2ban
asked Apr 20 at 20:22
pGrnd2pGrnd2
52
I'll bet rDNS doesn't round-trip correctly. This is why you should always runiptables -L -n.
– womble♦
Apr 20 at 23:02
it seems to be not the case. 'iptables -L -n' shows the right IP to be banned, but it does not banned it in deed
– pGrnd2
Apr 20 at 23:58
Trace the packets through netfilter, that'll show what's going wrong.
– womble♦
Apr 21 at 1:29
Better look at ipset storage of fail2ban block list. In this case the iptables rule set won't be changed and all blocked ip addresses will be stored inside ipset list.
– Anton Danilov
Apr 21 at 8:51
thats the trick , as ssh port is manully setup to 2222, fail2ban does not recognize the port properly and it needs to be added manually on the jail.local file under the proper rule
– pGrnd2
Apr 21 at 9:32
add a comment |
I just installed fail2ban in NetinVM (a constellation of virtual machines inside a VM)
so far so good,
I install in a specific machine (10.5.1.13) where ssh is on 2222 (all on root)
From other machine (10.5.1.11) I repetitively ssh to that first one with wrong password.
fail2ban recognise the "attack" and said to ban the ip
fail2ban> status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 1
| |- Total failed: 20
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 2
|- Total banned: 2
`- Banned IP list: 10.5.1.11
as I take a look into iptables:
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-sshd tcp -- anywhere anywhere multiport dports ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain f2b-sshd (1 references)
target prot opt source destination
REJECT all -- dmzb.example.net anywhere reject-with icmp-port-unreachable
RETURN all -- anywhere anywhere
this REJECT rule is added, and resolution of dmzb.emaple.net seems proper:
$ ping dmzb.example.net
PING dmzb.example.net (10.5.1.11) 56(84) bytes of data.
64 bytes from dmzb.example.net (10.5.1.11): icmp_seq=1 ttl=64 time=0.940 ms
and resolve the domain added into the iptables correctly to the "attacker" IP
nevertheless, I can still proceed with ssh trials from the "attacker" machine, getting the password request, and even entering if I put correct password.
update:
as suggested, tried
$ iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-sshd tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain f2b-sshd (1 references)
target prot opt source destination
REJECT all -- 10.5.1.11 0.0.0.0/0 reject-with icmp-port-unreachable
RETURN all -- 0.0.0.0/0 0.0.0.0/0
ip seems the correct one, still, banning is not being applied.
linux ssh iptables linux-networking fail2ban
asked Apr 20 at 20:22
pGrnd2pGrnd2
52
I just installed fail2ban in NetinVM (a constellation of virtual machines inside a VM)
so far so good,
I install in a specific machine (10.5.1.13) where ssh is on 2222 (all on root)
From other machine (10.5.1.11) I repetitively ssh to that first one with wrong password.
fail2ban recognise the "attack" and said to ban the ip
fail2ban> status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 1
| |- Total failed: 20
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 2
|- Total banned: 2
`- Banned IP list: 10.5.1.11
as I take a look into iptables:
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-sshd tcp -- anywhere anywhere multiport dports ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain f2b-sshd (1 references)
target prot opt source destination
REJECT all -- dmzb.example.net anywhere reject-with icmp-port-unreachable
RETURN all -- anywhere anywhere
this REJECT rule is added, and resolution of dmzb.emaple.net seems proper:
$ ping dmzb.example.net
PING dmzb.example.net (10.5.1.11) 56(84) bytes of data.
64 bytes from dmzb.example.net (10.5.1.11): icmp_seq=1 ttl=64 time=0.940 ms
and resolve the domain added into the iptables correctly to the "attacker" IP
nevertheless, I can still proceed with ssh trials from the "attacker" machine, getting the password request, and even entering if I put correct password.
update:
as suggested, tried
$ iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-sshd tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain f2b-sshd (1 references)
target prot opt source destination
REJECT all -- 10.5.1.11 0.0.0.0/0 reject-with icmp-port-unreachable
RETURN all -- 0.0.0.0/0 0.0.0.0/0
ip seems the correct one, still, banning is not being applied.
linux ssh iptables linux-networking fail2ban
linux ssh iptables linux-networking fail2ban
asked Apr 20 at 20:22
pGrnd2pGrnd2
52
asked Apr 20 at 20:22
pGrnd2pGrnd2
52
edited Apr 21 at 0:00
pGrnd2
asked Apr 20 at 20:22
pGrnd2pGrnd2
52
asked Apr 20 at 20:22
pGrnd2pGrnd2
52
asked Apr 20 at 20:22
pGrnd2pGrnd2
52
52
I'll bet rDNS doesn't round-trip correctly. This is why you should always runiptables -L -n.
– womble♦
Apr 20 at 23:02
it seems to be not the case. 'iptables -L -n' shows the right IP to be banned, but it does not banned it in deed
– pGrnd2
Apr 20 at 23:58
Trace the packets through netfilter, that'll show what's going wrong.
– womble♦
Apr 21 at 1:29
Better look at ipset storage of fail2ban block list. In this case the iptables rule set won't be changed and all blocked ip addresses will be stored inside ipset list.
– Anton Danilov
Apr 21 at 8:51
thats the trick , as ssh port is manully setup to 2222, fail2ban does not recognize the port properly and it needs to be added manually on the jail.local file under the proper rule
– pGrnd2
Apr 21 at 9:32
add a comment |
I'll bet rDNS doesn't round-trip correctly. This is why you should always runiptables -L -n.
– womble♦
Apr 20 at 23:02
it seems to be not the case. 'iptables -L -n' shows the right IP to be banned, but it does not banned it in deed
– pGrnd2
Apr 20 at 23:58
Trace the packets through netfilter, that'll show what's going wrong.
– womble♦
Apr 21 at 1:29
Better look at ipset storage of fail2ban block list. In this case the iptables rule set won't be changed and all blocked ip addresses will be stored inside ipset list.
– Anton Danilov
Apr 21 at 8:51
thats the trick , as ssh port is manully setup to 2222, fail2ban does not recognize the port properly and it needs to be added manually on the jail.local file under the proper rule
– pGrnd2
Apr 21 at 9:32
I'll bet rDNS doesn't round-trip correctly. This is why you should always run
iptables -L -n.– womble♦
Apr 20 at 23:02
I'll bet rDNS doesn't round-trip correctly. This is why you should always run
iptables -L -n.– womble♦
Apr 20 at 23:02
it seems to be not the case. 'iptables -L -n' shows the right IP to be banned, but it does not banned it in deed
– pGrnd2
Apr 20 at 23:58
it seems to be not the case. 'iptables -L -n' shows the right IP to be banned, but it does not banned it in deed
– pGrnd2
Apr 20 at 23:58
Trace the packets through netfilter, that'll show what's going wrong.
– womble♦
Apr 21 at 1:29
Trace the packets through netfilter, that'll show what's going wrong.
– womble♦
Apr 21 at 1:29
Better look at ipset storage of fail2ban block list. In this case the iptables rule set won't be changed and all blocked ip addresses will be stored inside ipset list.
– Anton Danilov
Apr 21 at 8:51
Better look at ipset storage of fail2ban block list. In this case the iptables rule set won't be changed and all blocked ip addresses will be stored inside ipset list.
– Anton Danilov
Apr 21 at 8:51
thats the trick , as ssh port is manully setup to 2222, fail2ban does not recognize the port properly and it needs to be added manually on the jail.local file under the proper rule
– pGrnd2
Apr 21 at 9:32
thats the trick , as ssh port is manully setup to 2222, fail2ban does not recognize the port properly and it needs to be added manually on the jail.local file under the proper rule
– pGrnd2
Apr 21 at 9:32
add a comment |
1 Answer
1
active
oldest
votes
Inside your rule set you bind the fail2ban checking with port 22, but in the description you have written, that your ssh actually listens the port 2222. To check it start from iptables-save -c or iptables -L -n -v. Check the counters of the corresponded rules. Also, the tcpdump is also very helpful tool in your case.
answered Apr 21 at 8:59
Anton DanilovAnton Danilov
56125
1
thats the trick , as ssh port is manully setup to 2222, fail2ban does not recognize the port properly and it needs to be added manually on the jail.local file under the proper rule
– pGrnd2
Apr 21 at 9:33
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f963923%2ffail2ban-not-correctly-modifying-the-iptables-effectively%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Inside your rule set you bind the fail2ban checking with port 22, but in the description you have written, that your ssh actually listens the port 2222. To check it start from iptables-save -c or iptables -L -n -v. Check the counters of the corresponded rules. Also, the tcpdump is also very helpful tool in your case.
answered Apr 21 at 8:59
Anton DanilovAnton Danilov
56125
1
thats the trick , as ssh port is manully setup to 2222, fail2ban does not recognize the port properly and it needs to be added manually on the jail.local file under the proper rule
– pGrnd2
Apr 21 at 9:33
add a comment |
Inside your rule set you bind the fail2ban checking with port 22, but in the description you have written, that your ssh actually listens the port 2222. To check it start from iptables-save -c or iptables -L -n -v. Check the counters of the corresponded rules. Also, the tcpdump is also very helpful tool in your case.
answered Apr 21 at 8:59
Anton DanilovAnton Danilov
56125
1
thats the trick , as ssh port is manully setup to 2222, fail2ban does not recognize the port properly and it needs to be added manually on the jail.local file under the proper rule
– pGrnd2
Apr 21 at 9:33
add a comment |
Inside your rule set you bind the fail2ban checking with port 22, but in the description you have written, that your ssh actually listens the port 2222. To check it start from iptables-save -c or iptables -L -n -v. Check the counters of the corresponded rules. Also, the tcpdump is also very helpful tool in your case.
answered Apr 21 at 8:59
Anton DanilovAnton Danilov
56125
Inside your rule set you bind the fail2ban checking with port 22, but in the description you have written, that your ssh actually listens the port 2222. To check it start from iptables-save -c or iptables -L -n -v. Check the counters of the corresponded rules. Also, the tcpdump is also very helpful tool in your case.
answered Apr 21 at 8:59
Anton DanilovAnton Danilov
56125
answered Apr 21 at 8:59
Anton DanilovAnton Danilov
56125
answered Apr 21 at 8:59
Anton DanilovAnton Danilov
56125
answered Apr 21 at 8:59
Anton DanilovAnton Danilov
56125
56125
1
thats the trick , as ssh port is manully setup to 2222, fail2ban does not recognize the port properly and it needs to be added manually on the jail.local file under the proper rule
– pGrnd2
Apr 21 at 9:33
add a comment |
1
thats the trick , as ssh port is manully setup to 2222, fail2ban does not recognize the port properly and it needs to be added manually on the jail.local file under the proper rule
– pGrnd2
Apr 21 at 9:33
1
1
thats the trick , as ssh port is manully setup to 2222, fail2ban does not recognize the port properly and it needs to be added manually on the jail.local file under the proper rule
– pGrnd2
Apr 21 at 9:33
thats the trick , as ssh port is manully setup to 2222, fail2ban does not recognize the port properly and it needs to be added manually on the jail.local file under the proper rule
– pGrnd2
Apr 21 at 9:33
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f963923%2ffail2ban-not-correctly-modifying-the-iptables-effectively%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
I'll bet rDNS doesn't round-trip correctly. This is why you should always run
iptables -L -n.– womble♦
Apr 20 at 23:02
it seems to be not the case. 'iptables -L -n' shows the right IP to be banned, but it does not banned it in deed
– pGrnd2
Apr 20 at 23:58
Trace the packets through netfilter, that'll show what's going wrong.
– womble♦
Apr 21 at 1:29
Better look at ipset storage of fail2ban block list. In this case the iptables rule set won't be changed and all blocked ip addresses will be stored inside ipset list.
– Anton Danilov
Apr 21 at 8:51
thats the trick , as ssh port is manully setup to 2222, fail2ban does not recognize the port properly and it needs to be added manually on the jail.local file under the proper rule
– pGrnd2
Apr 21 at 9:32