We've been having mysterious non-blockages of attacking sites, where the
site was banned in iptables by fail2ban,
but sliding thru the iptables and being "ACCEPT"-ed. The cause? At least,
on CentOS6, where this happens, the connection
tracking isn't working so hot. SO.... what we do is turn off connection
tracking for that IP, and it then all works as expected.
Perhaps our iptables setup is unusual... we have a rule right up front,
that accepts packets if they are already in an existing session...
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
No use spending a lot of time running thru all sorts of checks for EVERY
PACKET that arrives, including stuff like voice data pouring in from
who-knows-where.
But, if the tracking system counts the initial packets as beginning a
session, then they will continue to get in via this rule, as appears to be
the case in CentOS6.
So, as part of the blocking action, we do this:
actionban = ipset -exist --create raw-preroute iphash
ipset -exist --add raw-preroute <ip>
iptables -n -t raw -L PREROUTING | grep -q raw-preroute ||
iptables -t raw -I PREROUTING 1 -m set --match-set raw-preroute src -j
NOTRACK
ipset -exist --add fail2ban-<name> <ip>
actionunban = ipset -exist --del raw-preroute <ip>
ipset -exist --del fail2ban-<name> <ip>
We use ipsets instead of chains... just in case the lists get long. Don't
want excessive delays in approving new connections. We define LOG-DROP
chains for ip's that are in the ipsets, so we can see the effectiveness of
the setup.
By setting NOTRACK on banned IP's, we can guarantee they will never pass
the state RELATED,ESTABLISHED test!
And, we no longer end up with blocked IP's that aren't ... blocked!
murf
On Wed, Jul 1, 2020 at 8:53 AM Yassine Chaouche <
[email protected]> wrote:
> From: Peter Heirich <maillist.fail2ban@ma...> <maillist.fail2ban@ma...> -
> 2020-07-01 14:22:19
>
> try command
>
> sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "SELECT * FROM bans WHERE
> jail='recidive';"
>
> I don't have that file in /var/lib/. Also, I can't find any reference to
> sqlite or database in the config file.
>
> root@messagerie[10.10.10.19] /var # egrep -i '(sqlite|database)'
> /etc/fail2ban/fail2ban.conf
>
> Maybe my version of f2b is too old.
>
> Yassine.
> _______________________________________________
> Fail2ban-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
--
Steve Murphy
ParseTree Corporation
57 Lane 17
Cody, WY 82414
✉ murf at parsetree dot com
☎ 307-899-0510
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
