I've always gone with the philosophy that, if you're using shorewall to manage your firewall, then fail2ban should use shorewall as its actions. Similarly, if you use pfsense, then you tell pfsense that fail2ban would like it to block an ip address. fail2ban isn't a firewall, it works in conjunction with whatever firewall you're using.
In that vein, ipsets aren't the answer, they're just a different way of avoiding configuring your system properly. On 26/11/2018 19:55, Bill Shirley wrote: > What action are you using for the jail? Shorewall start/restart loads > the entire iptables > which will clobber fail2ban's entries. > > I use an action that stores the offending IP address in an ipset so > that the shorewall restart > command doesn't wipe it. > > [0:root@bb8 fail2ban]$ rpm -q fail2ban-server > fail2ban-server-0.10.2-1.fc27.noarch > > /etc/fail2ban/action.d/my_ipset_ip.conf: > # from iptables-ipset-proto6.conf > > [INCLUDES] > #before = iptables-blocktype.conf > before = iptables-common.conf > > #systemd unit file has stdout and stderr overrides > > [Definition] > actioncheck = > actionstart = > # actionflush was missing > actionflush = > actionstop = > > actionban = ipset -exist add fail2ban-<sfx_name> <ip> timeout <my_timeout> > > #actionunban = ipset -exist del fail2ban-<sfx_name> <ip> > actionunban = > > [Init] > my_timeout = 3600 > suffix = ip > > sfx_name = IPv4-<suffix> > familyopt = > > [Init?family=inet6] > sfx_name = IPv6-<suffix> > familyopt = <sp>family inet6 > > /etc/shorewall/init: > ipset -exist create fail2ban-IPv4-ip hash:ip timeout 86400 > > /etc/shorewall/rules: > ?COMMENT flagged by fail2ban > DROP inet:+fail2ban-IPv4-ip[src] fw > > > Bill > > On 11/26/2018 3:44 AM, Koenraad Lelong wrote: >> Hi, >> >> I'm trying to harden a web-server. In the logfiles from apache I see >> a number of attempts to get not-existing php-files so I used >> apache-noscript to try to block the offending IP-address. >> The filter fires, but the firewall does not block the IP-address. In >> fail2ban's log-file I see a number of "already banned" messages for >> that IP-address. I suspect the offender uses a persistent >> http-connection. How can I block this attack ? >> >> B.T.W. I'm using shorewall as a firewall. I already modified it's >> main config file to : >> BLACKLIST="INVALID,UNTRACKED" (i.e. I removed the NEW keyword). >> I did this because the standard config didn't work also. >> >> P.S. Fail2ban version is 0.9.3 >> >> TIA, >> >> Koenraad >> >> >> >> _______________________________________________ >> Fail2ban-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
