I have Fail2Ban running on my Centos Server.
In my /var/log/messages
I noticed something really weird:
I configured Fail2Ban to add the banned IP to iptables so they cannot reach my server anymore
My jail.conf:
1 2 3 4 5 6 7 8 9 10 11 |
[postfix] enabled = true filter = postfix action = iptables port = smtp,ssmtp filter = postfix logpath = /var/log/maillog bantime = 43200 maxretry = 2 |
My postfix.conf:
1 2 3 4 5 6 7 8 9 10 |
[INCLUDES] before = common.conf [Definition] failregex = reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1 reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1 reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1 reject: RCPT from (.*)\[<HOST>\]: (.*)@yahoo.com.tw ignoreregex = |
So how can anybody that has already been blocked in iptables still connect to the server?
Fail2ban only blocks over TCP by default. At least with my setup, I noticed the “already banned” message was appearing when bots came back to try the blocked port over UDP instead.
To fix this issue, tell Fail2ban to block the port over all protocols instead of just TCP. You will need to make this change in /etc/fail2ban/jail.conf and in the [Init] section of every action you are using at /etc/fail2ban/action.d/.
Change this:
1 2 3 |
# Default protocol protocol = tcp |
To:
1 2 3 |
# Default protocol protocol = all |
In my case it was in /etc/fail2ban/action.d/firewallcmd-common.conf
Next, I disabled ICMP echo requests so blocked IPs had no way of hitting the server:
- nano /etc/sysctl.conf
- Add these two lines:
123net.ipv4.icmp_echo_ignore_all = 1net.ipv4.icmp_echo_ignore_broadcasts = 1 - Exit and save the file.
- Run sysctl -p for the change to take effect.
After that, run fail2ban-client reload and you should not see these “already banned” messages any more unless you are spammed by an IP who gets a couple of access attempts before the block takes effect.
Also, it’s important to block all ports for every offender rather than the port they were trying to access by using the action iptables-allports in each of the Jails. Otherwise, they may trigger another Jail and end up as “already banned” in the logs.