| View previous topic :: View next topic |
| Author |
Message |
hanj
Veteran
Joined: 19 Aug 2003
Posts: 1500
|
 Posted: Sat Aug 11, 2007 6:59 pm Post subject: fail2ban not applying port/protocol to iptables [SOLVED] |
 |
|
Hello
Been playing around with fail2ban this morning.. like it. They did a great job over the last versions! I'm running across a problem though, it doesn't appear that the iptables rule created is using the port and protocol values in jail.conf.
For example.. I have this in jail.conf:
| Code: | [spam]
enabled = true
filter = spam
action = iptables[name=SPAM, port=25, protocol=tcp]
mail-whois[name=SPAM, dest=abuse@comp.com]
logpath = /var/log/mail.log
ignoreip = 127.0.0.1 xxx.xxx.xxx.xxx
maxretry = 2 |
I tried port=25 as well as port=smtp.. and the results are the same. When looking at what is created in iptables... I see the following:
| Code: | Chain fail2ban-SPAM (1 references)
target prot opt source destination
DROP all -- xxx.126.1.68 0.0.0.0/0
DROP all -- xxx.88.229.7 0.0.0.0/0
DROP all -- xxx.4.23.37 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0 |
This isn't correct, since it's going to DROP all traffic to any port from the violating IP. Not what I want, I just want to drop 25. It should look like this:
| Code: | Chain fail2ban-SPAM (1 references)
target prot opt source destination
DROP tcp -- xxx.126.1.68 0.0.0.0/0 tcp dpt:25
DROP tcp -- xxx.88.229.7 0.0.0.0/0 tcp dpt:25
DROP tcp -- xxx.4.23.37 0.0.0.0/0 tcp dpt:25
RETURN all -- 0.0.0.0/0 0.0.0.0/0 |
Anyone know what I'm doing wrong? Here is my version:
| Code: | | net-analyzer/fail2ban-0.8.0-r1 |
Thanks!
hanji
_________________
Server Admin Blog - Uno-Code.com
Last edited by hanj on Sat Aug 11, 2007 7:23 pm; edited 1 time in total |
|
| Back to top |
|
 |
hanj
Veteran
Joined: 19 Aug 2003
Posts: 1500
|
| Posted: Sat Aug 11, 2007 7:22 pm Post subject: |
|
|
I figured this out.
Edit /etc/fail2ban/actions/iptables.conf
Change:
| Code: | | actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP |
To:
| Code: | | actionban = iptables -I fail2ban-<name> 1 -s <ip> -p <protocol> --dport <port> -j DROP |
Now I see:
| Code: | Chain fail2ban-SPAM (1 references)
target prot opt source destination
DROP tcp -- xxx.33.231.104 0.0.0.0/0 tcp dpt:25
DROP tcp -- xxx.237.113.8 0.0.0.0/0 tcp dpt:25
DROP tcp -- xxx.19.193.194 0.0.0.0/0 tcp dpt:25
DROP tcp -- xxx.36.147.159 0.0.0.0/0 tcp dpt:25
RETURN all -- 0.0.0.0/0 0.0.0.0/0 |
HTH
hanji
_________________
Server Admin Blog - Uno-Code.com |
|
| Back to top |
|
|
hanj
Veteran
Joined: 19 Aug 2003
Posts: 1500
|
| Posted: Sat Aug 11, 2007 7:52 pm Post subject: |
|
|
You'll need to change the actionunban as well:
FROM:
| Code: | | actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP |
TO:
| Code: | | actionunban = iptables -D fail2ban-<name> -s <ip> -p <protocol> --dport <port> -j DROP |
hanji
_________________
Server Admin Blog - Uno-Code.com |
|
| Back to top |
|
|
|
Networking & Security
