Debian 12 - IP is banned (f2b log) but not blocked #3583
Replies: 3 comments 2 replies
-
See the answer for a 2nd question in wiki : FAQ... I have nothing to add here right now, excepting possibly: either wrong/missing port in jail (other as |
Beta Was this translation helpful? Give feedback.
-
Hi and thanks for your response! Maybe there is an error generating the rule (action)? I tried and added / blocked manually -> firewall-cmd --add-rich-rule='rule family=ipv4 source address=47.108.92. ** reject' --permanent and this boring idiot was blocked immediately. The log stopped, no more connects from this IP?! Afterwords i tested an changed from banaction firewall-cmd to nftables. This works. So it seams that maybe some error in the regarding action? |
Beta Was this translation helpful? Give feedback.
-
YES. I switched to nftables. I used because many sayed that it is more performant if you have big tables of blocked IPs.
Neighter I. Too old to switch and really prefer / love iptables ;)))) Thanks for your help. Simply will stay without this firewalld! Never change a working system. Cheers Walhalla |
Beta Was this translation helpful? Give feedback.
-
Hi,
F2B seems to work properly. I can see that it finds bad logins and bans it (example FTP here):
fail2ban.log ->
...
2023-09-26 23:04:11,854 fail2ban.filter [1688703]: INFO [proftpd] Found 47.108.92. ** - 2023-09-26 23:04:11
2023-09-26 23:04:16,079 fail2ban.filter [1688703]: INFO [proftpd] Found 47.108.92. ** - 2023-09-26 23:04:16
2023-09-26 23:04:20,011 fail2ban.filter [1688703]: INFO [proftpd] Found 47.108.92. ** - 2023-09-26 23:04:20
2023-09-26 23:04:20,805 fail2ban.actions [1688703]: WARNING [proftpd] 47.108.92. ** already banned
I was wondering why it finds this IP again and again if it is banned? So I looked at firewalld:
Direct IPv4 47.108.92. ** Input Reject ipv4 filter INPUT_direct 0 -p tcp -m multiport --dports ftp,ftp-data,ftps,ftps-data -m set --match-set f2b-proftpd src -j REJECT --reject-with icmp-port-unreachable
and (ipset list) ->
Name: f2b-proftpd
Type: hash:ip
Revision: 5
Header: family inet hashsize 1024 maxelem 65536 timeout 0 bucketsize 12 initval 0x7c780ec4
Size in memory: 264
References: 1
Number of entries: 1
Members:
47.108.92. ** timeout 0
So, this IP should be blocked - but i still can see logins every second (proftp.log) ->
...
2023-09-26 23:09:20,381 proftpd[1711663] 0.0.0.0 (47.108.92. **[47.108.92. **]): USER root (Login failed): Incorrect password
2023-09-26 23:09:25,248 proftpd[1711664] 0.0.0.0 (47.108.92. **[47.108.92. **]): USER root (Login failed): Incorrect password
2023-09-26 23:09:29,123 proftpd[1711665] 0.0.0.0 (47.108.92. **[47.108.92. **]): USER root (Login failed): Incorrect password
...
banaction is ->
[DEFAULT]
banaction = firewallcmd-ipset
So, this IP was detected, banned, blocked -> but still can try to login (brute & force)?
What is going wrong? Fresh installed Debian 12 (bookworm) all packages up to date.
Thanks for any hint / tipp / or even better: solution ;)
Walhalla
Beta Was this translation helpful? Give feedback.
All reactions