-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fail2ban says already banned an ip but the ip can still visit webserver #2545
Comments
So you use ufw banning action...
Also see similar 3rd party issues with above-mentioned problem, like #1609 etc. So you could:
|
I got few free minutes to take a closer look at your iptables - here is short summarized excerpt (highlighted as diff here to colorize the issue, resp. to emphasize bothering place): Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
...
+3603K 4801M ufw-before-input all -- * * 0.0.0.0/0 0.0.0.0/0
...
Chain ufw-before-input (1 references)
pkts bytes target prot opt in out source destination
...
-1514K 2353M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
- ctstate RELATED,ESTABLISHED
...
+3502 204K ufw-user-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
...
+ 0 0 REJECT all -- * * 118.24.193.122 0.0.0.0/0 reject-with icmp-port-unreachable
...
2 80 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8686
21 1282 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
13 720 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 So your
I'm not so familiar with ufw (or either don't know exact reason for this constellation), but it would definitely accept already established connections - so a keep-alive connection is bypassed by this rule before it could be rejected by followed rules.
|
Thank you so much! I used ufw as banaction because it looks easy to learn... so it was the first time using ufw because of fail2ban. |
Environment:
The issue:
Some ips are already banned by fail2ban, but can still visit my caddy server and caddy log records the annoying "no such site" messages from the same ips
Steps to reproduce
Expected behavior
Caddy log records bad ips not so many, otherwise fail2ban may not working.
Observed behavior
Caddy log records too many same annoying ip.
Any additional information
I googled very hard but I can't find the what caused this, many said maybe fail2ban chains are not correctly linked to iptables chain. But I checked and can't find the problem.
Configuration, dump and another helpful excerpts
fail2ban configuration
/etc/fail2ban/filter.d/caddy.conf:
/etc/fail2ban/jail.local:
output of
iptables -L -n -v
output of
ufw status
output of
fail2ban-client status caddy
Relevant parts of /var/log/fail2ban.log file:
Relevant lines from monitored log files in question:
/var/log/syslog:
The text was updated successfully, but these errors were encountered: