-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fail2ban with firewalld fails to ban established traffic #1609
Comments
There's possible (I suspect), that there is something wrong with your basic firewalld (resp. iptables) configuration? I can be wrong, but... BTW. Just to reference with #1474. |
Thank you very much for your comment. |
@fail2ban/maintainers any idea? |
FWIW As a workaround I guess you could just use iptables action for now (instead of kosher firewalld ) which should insert it first in the input chain. |
Thank you @yarikoptic. Indeed falling back to iptables-ipset-proto6 default banaction does the job perfectly. I need to dig further the consequences of having firewalld and fail2ban administrating iptables at the same time. I believe that as long as firewalld rules are not modified (which is the case on a regular server) then it should not overlap or erase fail2ban rules. This needs to be further investigated though. |
I see the same behaviour on our Centos 7 boxen. Kickstarted, some services activated and fail2ban deployed via Ansible:
EDIT: an Ansible script was setting the "firewalld-ipset" banaction. Disregard my comment. |
Here is the problem: |
Thus closed as 3rd party issue. |
I dealt with this problem years ago, and thought you may find this useful. Additionally, this script can be used to terminate both sides of the conversation if spawned in the background at ban time:
|
@AndyLeeRobinson Thanks so much for this How can I debug this and find out why it's not working? Can I provide you with log entries, and if so, what? This script is definitely required because spammers listed in a DNSBL or trying to brute-force SMTP AUTH can be rejected dozens or hundreds of times without the connection being severed, so even though fail2ban is trying to ban them, it's not helping... so I'm trying to find how to properly sever the connection. Your script seems like the solution but I'm having trouble making it work. Thanks! |
Just for reference: I experience the same issue as in this thread, but I use the fail2ban iptables rules, not firewalld. That is, existing connections (most particularly for sendmail, using iptables-multiport) will get banned but not dropped. I attempted to use @AndyLeeRobinson's "tcpcut" script but it doesn't seem to have any effect. This is particularly seen when a spammer connects from an IP that is in a DNSBL and tries to issue many (dozens) of RCPT commands... each RCPT command issues a rejection from sendmail (since the IP is on a blocklist), and sendmail-reject will ban the IP after 3 attempts, but will not disconnect the IP... so it keeps trying and f2b keeps issuing "already banned" warnings. Thus, a method of cutting the connection outside of sendmail is needed. (Sendmail is behaving "appropriately" in this case, it's not a bug in sendmail.) |
Then you have not exactly the same issue. Either you have some net-filter problems (e. g. delaying or ignoring reject connections or something similar) or your iptables rules contain some allowing rules (white-listing for established connections) before INPUT chain or before rules of fail2ban there. |
Hello,
Environment:
Activated nginx-http-auth plugin with default config.
The issue:
I have installed firewalld 0.4.4.1 on Fedora 24 with Fail2ban 0.9.5.
I have enabled jail nginx-http-auth, and firewallcmd-ipset as default ban action.
IPs are correctly added to the ipset but it does not ban established connections.
Looking at iptables the issue is quiet obvious:
The ban rule is inserted within the INPUT_direct chain after the accept target for all established traffic.
The expected behaviour is to ban established connection by default and leave the user the option to not ban established connections if he/she does not want to.
What default ban action would you recommend to mitigate this bug until the issue is fixed with firewalld ?
Thank you very much in advance for your help here,
Cheers.
The text was updated successfully, but these errors were encountered: