Problem w/ iptables...works most of the time but not always.
 

I'm using fail2ban to block failed authorizations on our linux server (FC5). This tool works really good...most of the time that is. Every once in awhile it appears that iptables is unsuccessful in blocking the repeated authentication attempts. I receive a message indicating that the ip has been banned, however I can still see attacks from that ip in the log after that. Its really annoying because it fills up my inbox with ban notification for the same ip over and over.

This is taken from the fail2ban.conf file, it shows the commands it uses to ban an ip.

# Option: fwcheck
# Notes.: command executed once before each fwban command
# Values: CMD Default:
#
fwcheck = iptables -L INPUT | grep -q fail2ban-%(__name__)s

# Option: fwban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <failtime> unix timestamp of the last failure
# <bantime> unix timestamp of the ban time
# Values: CMD
# Default: iptables -I INPUT 1 -s <ip> -j DROP
#
fwban = iptables -I fail2ban-%(__name__)s 1 -s <ip> -j DROP


Does anyone have any idea why this doesn't work on all authentication attacks?

What's the time between the entry at which the ban should occur and the moment it occurs?

The ban is to occur after the 10 failed attempt, the scanning is performed every second so the "normal" scenarios are working almost immediately. In the attempts that don't work, are the crackers able to fake this ip maybe? If so, how do you prevent it?

If it's too much work making sure theis works OK, maybe pick another method from http://www.linuxquestions.org/questi...d.php?t=340366 ?

Well, I can imagine thousands of ports scanned in a second. The ban occurs ~after 0.5s, so quite many attempts can pass by. It may be a good idea to limit logging to a certain number of messages, then you'll get at least less emails.

Thats a good idea Mara, its probably what I'll end up doing, but I would still like to know why this happens and how to block that ip when it does happen? Does anyone have any ideas?

It's quite simple - you get the limit a number of times (in that ~0.5s time) before the address gets banned.

I don't think that we are understanding each other. I know that fail2ban blocks ips using iptables after a configurable amount of failed authorization attempts. This works most of the time. The problem is that sometimes an ip can be banned with fail2ban (iptables) and that ip is still able to attempt authorize on my ftp site. This is what I am wondering about, how can someone do this and how to I block this ip from continuing their dictionary attack? If their is not a automated way to do this, is there a manual way?

I don't see a way when an IP is banned with iptables and it can access ftp, except for one situation. iptables rules are used long before (on SYN packet) ftp daemon actually deals with the new connection. When an IP is banned, its' packets won't get past iptables. There's one exception, however. The packets may match a rule that says to accept them before the rule that bans it. One of such rules is standard one accepting ESTABLISHED, RELATED. In such scenario, it's possible that, when there's an existing connection, an user may access the service when beeing banned.

true... of course if he's doing an insert to the top of the chain, like:then it should work no matter what kinda rules he has... i do agree with you in that i think it's likely that this is precisley what is NOT happening...

ok, i just took a quick look at the OP, and i see this:i'm not exactly sure about the context of the script, but i'm assuming this is the command executed for bad IPs... hence, i would say change it to this:i know it's more elegant to have your special chain and all (plus when you have seriously huge blacklists it even helps performance-wise if you blacklist packets of state NEW only in a separate chain), but this will at least let you test if the issue is caused by the packets getting sent to ACCEPT before they hit the ban rule which sends them to DROP...

you could also try this manually without using your auto-ban script, etc...

just my :twocents:...

I'm pretty sure that I already had tried updating the iptables manually during an attack. (i think)

However being as I am uncertain that I did do this, I'll try it again during an attack. I'll post as soon as it happens again.

having the same problems as the previous guy
 

he i got the same problems as the previous guy...
included is the mail file with the notifications on it...
so basically it appears that fail2ban is failing to ban the ip addresses that have failed to authenticate...... whcih for me is a big problem due to the fact that this box is directly associated with a domain...





From fail2ban@localhost Thu Nov 30 21:53:54 2006
Return-path: <fail2ban@localhost>
Envelope-to: root@localhost
Delivery-date: Thu, 30 Nov 2006 21:53:54 -0800
Received: from localhost ([127.0.0.1] helo=XxlnetmaskxX.)
by XxlnetmaskxX. with esmtp (Exim 4.60)
(envelope-from <fail2ban@localhost>)
id 1Gq1LN-00025s-Q9
for root@localhost; Thu, 30 Nov 2006 21:53:53 -0800
From: fail2ban@localhost
To: root@localhost
Date: Thu, 30 Nov 2006 21:53:53 -0800
Subject: [Fail2Ban] 'SSH': Banned '209.145.93.100'
Message-Id: <E1Gq1LN-00025s-Q9@XxlnetmaskxX.>

Hi,

The IP '209.145.93.100' has just been banned by Fail2Ban after
3 attempts against 'SSH'.

Regards,

Fail2Ban

From fail2ban@localhost Thu Nov 30 21:53:58 2006
Return-path: <fail2ban@localhost>
Envelope-to: root@localhost
Delivery-date: Thu, 30 Nov 2006 21:53:58 -0800
Received: from localhost ([127.0.0.1] helo=XxlnetmaskxX.)
by XxlnetmaskxX. with esmtp (Exim 4.60)
(envelope-from <fail2ban@localhost>)
id 1Gq1LS-000267-Dp
for root@localhost; Thu, 30 Nov 2006 21:53:58 -0800
From: fail2ban@localhost
To: root@localhost
Date: Thu, 30 Nov 2006 21:53:58 -0800
Subject: [Fail2Ban] 'SSH': Banned '209.145.93.100'
Message-Id: <E1Gq1LS-000267-Dp@XxlnetmaskxX.>

Hi,

The IP '209.145.93.100' has just been banned by Fail2Ban after
3 attempts against 'SSH'.

Regards,

Fail2Ban

From fail2ban@localhost Thu Nov 30 21:54:02 2006
Return-path: <fail2ban@localhost>
Envelope-to: root@localhost
Delivery-date: Thu, 30 Nov 2006 21:54:02 -0800
Received: from localhost ([127.0.0.1] helo=XxlnetmaskxX.)
by XxlnetmaskxX. with esmtp (Exim 4.60)
(envelope-from <fail2ban@localhost>)
id 1Gq1LW-00026K-NW
for root@localhost; Thu, 30 Nov 2006 21:54:02 -0800
From: fail2ban@localhost
To: root@localhost
Date: Thu, 30 Nov 2006 21:54:02 -0800
Subject: [Fail2Ban] 'SSH': Banned '209.145.93.100'
Message-Id: <E1Gq1LW-00026K-NW@XxlnetmaskxX.>

Hi,

The IP '209.145.93.100' has just been banned by Fail2Ban after
3 attempts against 'SSH'.

Regards,

Fail2Ban

From fail2ban@localhost Thu Nov 30 21:54:09 2006
Return-path: <fail2ban@localhost>
Envelope-to: root@localhost
Delivery-date: Thu, 30 Nov 2006 21:54:09 -0800
Received: from localhost ([127.0.0.1] helo=XxlnetmaskxX.)
by XxlnetmaskxX. with esmtp (Exim 4.60)
(envelope-from <fail2ban@localhost>)
id 1Gq1Lc-00026Y-Vz
for root@localhost; Thu, 30 Nov 2006 21:54:09 -0800
From: fail2ban@localhost
To: root@localhost
Date: Thu, 30 Nov 2006 21:54:08 -0800
Subject: [Fail2Ban] 'SSH': Banned '209.145.93.100'
Message-Id: <E1Gq1Lc-00026Y-Vz@XxlnetmaskxX.>

Hi,

The IP '209.145.93.100' has just been banned by Fail2Ban after
3 attempts against 'SSH'.

Regards,

Fail2Ban

From fail2ban@localhost Fri Dec 01 05:25:21 2006
Return-path: <fail2ban@localhost>
Envelope-to: root@localhost
Delivery-date: Fri, 01 Dec 2006 05:25:21 -0800
Received: from localhost ([127.0.0.1] helo=XxlnetmaskxX.)
by XxlnetmaskxX. with esmtp (Exim 4.60)
(envelope-from <fail2ban@localhost>)
id 1Gq8OG-0001ND-Ri
for root@localhost; Fri, 01 Dec 2006 05:25:20 -0800
From: fail2ban@localhost
To: root@localhost
Date: Fri, 01 Dec 2006 05:25:20 -0800
Subject: [Fail2Ban] 'SSH': Banned '83.213.232.35'
Message-Id: <E1Gq8OG-0001ND-Ri@XxlnetmaskxX.>

Hi,

The IP '83.213.232.35' has just been banned by Fail2Ban after
3 attempts against 'SSH'.

Regards,

Fail2Ban

From fail2ban@localhost Fri Dec 01 05:25:37 2006
Return-path: <fail2ban@localhost>
Envelope-to: root@localhost
Delivery-date: Fri, 01 Dec 2006 05:25:37 -0800
Received: from localhost ([127.0.0.1] helo=XxlnetmaskxX.)
by XxlnetmaskxX. with esmtp (Exim 4.60)
(envelope-from <fail2ban@localhost>)
id 1Gq8OX-0001NS-1o
for root@localhost; Fri, 01 Dec 2006 05:25:37 -0800
From: fail2ban@localhost
To: root@localhost
Date: Fri, 01 Dec 2006 05:25:37 -0800
Subject: [Fail2Ban] 'SSH': Banned '83.213.232.35'
Message-Id: <E1Gq8OX-0001NS-1o@XxlnetmaskxX.>

Hi,

The IP '83.213.232.35' has just been banned by Fail2Ban after
3 attempts against 'SSH'.

Regards,

Fail2Ban

From fail2ban@localhost Fri Dec 01 05:25:49 2006
Return-path: <fail2ban@localhost>
Envelope-to: root@localhost
Delivery-date: Fri, 01 Dec 2006 05:25:49 -0800
Received: from localhost ([127.0.0.1] helo=XxlnetmaskxX.)
by XxlnetmaskxX. with esmtp (Exim 4.60)
(envelope-from <fail2ban@localhost>)
id 1Gq8Oj-0001Nf-6x
for root@localhost; Fri, 01 Dec 2006 05:25:49 -0800
From: fail2ban@localhost
To: root@localhost
Date: Fri, 01 Dec 2006 05:25:49 -0800
Subject: [Fail2Ban] 'SSH': Banned '83.213.232.35'
Message-Id: <E1Gq8Oj-0001Nf-6x@XxlnetmaskxX.>

Hi,

The IP '83.213.232.35' has just been banned by Fail2Ban after
3 attempts against 'SSH'.

Regards,

Fail2Ban

From fail2ban@localhost Fri Dec 01 20:24:19 2006
Return-path: <fail2ban@localhost>
Envelope-to: root@localhost
Delivery-date: Fri, 01 Dec 2006 20:24:19 -0800
Received: from localhost ([127.0.0.1] helo=XxlnetmaskxX.)
by XxlnetmaskxX. with esmtp (Exim 4.60)
(envelope-from <fail2ban@localhost>)
id 1GqMQE-00021M-KK
for root@localhost; Fri, 01 Dec 2006 20:24:18 -0800
From: fail2ban@localhost
To: root@localhost
Date: Fri, 01 Dec 2006 20:24:18 -0800
Subject: [Fail2Ban] 'SSH': Banned '61.82.25.83'
Message-Id: <E1GqMQE-00021M-KK@XxlnetmaskxX.>

Hi,

The IP '61.82.25.83' has just been banned by Fail2Ban after
3 attempts against 'SSH'.

Regards,

Fail2Ban

From fail2ban@localhost Fri Dec 01 20:24:30 2006
Return-path: <fail2ban@localhost>
Envelope-to: root@localhost
Delivery-date: Fri, 01 Dec 2006 20:24:30 -0800
Received: from localhost ([127.0.0.1] helo=XxlnetmaskxX.)
by XxlnetmaskxX. with esmtp (Exim 4.60)
(envelope-from <fail2ban@localhost>)
id 1GqMQP-00021Z-Vp
for root@localhost; Fri, 01 Dec 2006 20:24:29 -0800
From: fail2ban@localhost
To: root@localhost
Date: Fri, 01 Dec 2006 20:24:29 -0800
Subject: [Fail2Ban] 'SSH': Banned '61.82.25.83'
Message-Id: <E1GqMQP-00021Z-Vp@XxlnetmaskxX.>

Hi,

The IP '61.82.25.83' has just been banned by Fail2Ban after
3 attempts against 'SSH'.

Regards,

Fail2Ban

From fail2ban@localhost Sat Dec 02 02:01:28 2006
Return-path: <fail2ban@localhost>
Envelope-to: root@localhost
Delivery-date: Sat, 02 Dec 2006 02:01:28 -0800
Received: from localhost ([127.0.0.1] helo=XxlnetmaskxX.)
by XxlnetmaskxX. with esmtp (Exim 4.60)
(envelope-from <fail2ban@localhost>)
id 1GqRgW-0002CX-1i
for root@localhost; Sat, 02 Dec 2006 02:01:28 -0800
From: fail2ban@localhost
To: root@localhost
Date: Sat, 02 Dec 2006 02:01:27 -0800
Subject: [Fail2Ban] 'SSH': Banned '222.190.110.196'
Message-Id: <E1GqRgW-0002CX-1i@XxlnetmaskxX.>

Hi,

The IP '222.190.110.196' has just been banned by Fail2Ban after
3 attempts against 'SSH'.

Regards,

Fail2Ban

From fail2ban@localhost Sat Dec 02 02:01:38 2006
Return-path: <fail2ban@localhost>
Envelope-to: root@localhost
Delivery-date: Sat, 02 Dec 2006 02:01:38 -0800
Received: from localhost ([127.0.0.1] helo=XxlnetmaskxX.)
by XxlnetmaskxX. with esmtp (Exim 4.60)
(envelope-from <fail2ban@localhost>)
id 1GqRgg-0002Ck-AD
for root@localhost; Sat, 02 Dec 2006 02:01:38 -0800
From: fail2ban@localhost
To: root@localhost
Date: Sat, 02 Dec 2006 02:01:38 -0800
Subject: [Fail2Ban] 'SSH': Banned '222.190.110.196'
Message-Id: <E1GqRgg-0002Ck-AD@XxlnetmaskxX.>

Hi,

The IP '222.190.110.196' has just been banned by Fail2Ban after
3 attempts against 'SSH'.

Regards,

Fail2Ban

From fail2ban@localhost Sat Dec 02 02:01:49 2006
Return-path: <fail2ban@localhost>
Envelope-to: root@localhost
Delivery-date: Sat, 02 Dec 2006 02:01:49 -0800
Received: from localhost ([127.0.0.1] helo=XxlnetmaskxX.)
by XxlnetmaskxX. with esmtp (Exim 4.60)
(envelope-from <fail2ban@localhost>)
id 1GqRgr-0002D0-Fb
for root@localhost; Sat, 02 Dec 2006 02:01:49 -0800
From: fail2ban@localhost
To: root@localhost
Date: Sat, 02 Dec 2006 02:01:49 -0800
Subject: [Fail2Ban] 'SSH': Banned '222.190.110.196'
Message-Id: <E1GqRgr-0002D0-Fb@XxlnetmaskxX.>

Hi,

The IP '222.190.110.196' has just been banned by Fail2Ban after
3 attempts against 'SSH'.

Regards,

Fail2Ban

From fail2ban@localhost Sat Dec 02 02:01:59 2006
Return-path: <fail2ban@localhost>
Envelope-to: root@localhost
Delivery-date: Sat, 02 Dec 2006 02:01:59 -0800
Received: from localhost ([127.0.0.1] helo=XxlnetmaskxX.)
by XxlnetmaskxX. with esmtp (Exim 4.60)
(envelope-from <fail2ban@localhost>)
id 1GqRh1-0002DF-K9
for root@localhost; Sat, 02 Dec 2006 02:01:59 -0800
From: fail2ban@localhost
To: root@localhost
Date: Sat, 02 Dec 2006 02:01:59 -0800
Subject: [Fail2Ban] 'SSH': Banned '222.190.110.196'
Message-Id: <E1GqRh1-0002DF-K9@XxlnetmaskxX.>

Hi,

The IP '222.190.110.196' has just been banned by Fail2Ban after
3 attempts against 'SSH'.

Regards,

Fail2Ban

From fail2ban@localhost Sat Dec 02 05:29:43 2006
Return-path: <fail2ban@localhost>
Envelope-to: root@localhost
Delivery-date: Sat, 02 Dec 2006 05:29:43 -0800
Received: from localhost ([127.0.0.1] helo=XxlnetmaskxX.)
by XxlnetmaskxX. with esmtp (Exim 4.60)
(envelope-from <fail2ban@localhost>)
id 1GqUw3-0002KD-0W
for root@localhost; Sat, 02 Dec 2006 05:29:43 -0800
From: fail2ban@localhost
To: root@localhost
Date: Sat, 02 Dec 2006 05:29:42 -0800
Subject: [Fail2Ban] 'SSH': Banned '193.254.231.41'
Message-Id: <E1GqUw3-0002KD-0W@XxlnetmaskxX.>

Hi,

The IP '193.254.231.41' has just been banned by Fail2Ban after
3 attempts against 'SSH'.

Regards,

Fail2Ban

From fail2ban@localhost Sat Dec 02 05:29:55 2006
Return-path: <fail2ban@localhost>
Envelope-to: root@localhost
Delivery-date: Sat, 02 Dec 2006 05:29:55 -0800
Received: from localhost ([127.0.0.1] helo=XxlnetmaskxX.)
by XxlnetmaskxX. with esmtp (Exim 4.60)
(envelope-from <fail2ban@localhost>)
id 1GqUwF-0002KU-9q
for root@localhost; Sat, 02 Dec 2006 05:29:55 -0800
From: fail2ban@localhost
To: root@localhost
Date: Sat, 02 Dec 2006 05:29:55 -0800
Subject: [Fail2Ban] 'SSH': Banned '193.254.231.41'
Message-Id: <E1GqUwF-0002KU-9q@XxlnetmaskxX.>

Hi,

The IP '193.254.231.41' has just been banned by Fail2Ban after
3 attempts against 'SSH'.

Regards,

Fail2Ban

well did you try and see if IPs are effectively blocked when done manually?? cuz if that works ok, then it's likely a bug in fail2ban (in which case your best bet is to use the bug thing on their site)...

Was attacked again on the weekend. This morning I came to work and the attack was still happening so I used the following command:

iptables -I INPUT -s <ip> -j DROP

The attack still persisted even after the command was issued. However there were three other attacks on our ftp site and those attacks were caught by fail2ban. Is this a problem in vsftpd or iptables? Any ideas on where to go from here?

not sure what to tell you... :confused:

i can't picture any scenario where this command wouldn't stop all packets coming from <ip>... this command was run on the box itself, right?? i know it's a stupid question but i'm just making sure you're not actually running this on a router which sits in front of the box (cuz you'd need the FORWARD chain for that)...