Fail2ban not adding rules to Iptables
by aboka from LinuxQuestions.org on (#556WG)
hi, im using Ubuntu 20.04 LTS with latest Fail2ban(not sure why it say command not found when i try to find its version with 'fail2ban -V')
all is working, so im thinking of learn to harden the security by adding more Jails by following the links below. manage to add few and confirm it has been add as it show the extra Jail when i run this 'sudo fail2ban-client status'
but the thing is, the new Jail is not shown inside my Iptables when i run 'sudo iptables -S'. Only noticeable is 'f2b-sshd' - installed by default together with Fail2ban. According to the article, it should list this(notice there are no 443 as i taken that out from the Jail bcoz 443 is used by another program)-
-A INPUT -p tcp -m multiport --dports 80 -j fail2ban-nginx-noproxy
-A INPUT -p tcp -m multiport --dports 80 -j fail2ban-nginx-badbots
-A INPUT -p tcp -m multiport --dports 80 -j fail2ban-nginx-noscript
is it bcoz my current iptables rules(port 80?) conflicting with them? and how could we fix it?
-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N f2b-sshd
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -i tap+ -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.7.0/24 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A f2b-sshd -s 104.248.130.10/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 103.242.56.174/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -j RETURN
https://www.digitalocean.com/communi...n-ubuntu-14-04
p/s - just go through the article again before submitting, and notice this is also missing at the top of my iptables -
-N fail2ban-nginx-badbots
-N fail2ban-nginx-noproxy
-N fail2ban-nginx-noscript
p/ss - or is it bcoz theres no ban yet? if thats true, whats the easiest way to test and confirm they works?
Thank you,
all is working, so im thinking of learn to harden the security by adding more Jails by following the links below. manage to add few and confirm it has been add as it show the extra Jail when i run this 'sudo fail2ban-client status'
but the thing is, the new Jail is not shown inside my Iptables when i run 'sudo iptables -S'. Only noticeable is 'f2b-sshd' - installed by default together with Fail2ban. According to the article, it should list this(notice there are no 443 as i taken that out from the Jail bcoz 443 is used by another program)-
-A INPUT -p tcp -m multiport --dports 80 -j fail2ban-nginx-noproxy
-A INPUT -p tcp -m multiport --dports 80 -j fail2ban-nginx-badbots
-A INPUT -p tcp -m multiport --dports 80 -j fail2ban-nginx-noscript
is it bcoz my current iptables rules(port 80?) conflicting with them? and how could we fix it?
-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N f2b-sshd
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -i tap+ -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.7.0/24 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A f2b-sshd -s 104.248.130.10/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 103.242.56.174/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -j RETURN
https://www.digitalocean.com/communi...n-ubuntu-14-04
p/s - just go through the article again before submitting, and notice this is also missing at the top of my iptables -
-N fail2ban-nginx-badbots
-N fail2ban-nginx-noproxy
-N fail2ban-nginx-noscript
p/ss - or is it bcoz theres no ban yet? if thats true, whats the easiest way to test and confirm they works?
Thank you,