fail2ban (ssh): localhost shows up in iptables
Hi,
I found a strange thing, that is localhost shows up in iptables as banned, what could be the cause of that? Code:
Chain f2b-sshd (1 references) Code:
$ grep 127 /etc/fail2ban/jail.local Code:
$ grep 127 /var/log/fail2ban.log* Thanks for the help! -- Best regards, Andrzej Telszewski |
Actually it blocks ssh connection from localhost. Thus no need to worry. But as the destination beeing anywhere you should not be able to ssh localhost on the machine itself. Only if you have some kind of iptables -d localhost -j ACCEPT rule somewhere.
But why localhost gets into the ban list i have no clue. Also the fail2ban log ist not really telling why it looks for localhost. Do you have any cronjobs doing some ssh connections to your host? Maybe you could try 127.0.0.1/24 inside you jail.local config. |
Hi,
Quote:
Quote:
That's my iptables: Code:
Chain INPUT (policy DROP) Quote:
Quote:
I have: Code:
ifconfig lo -- Best regards, Andrzej Telszewski |
As the fail2ban chain is first the localhost iptables rules should not matter. Also the rules says something about multiport dports ssh what ever that means. But no source port mentioned.
My bad with the 127.0.0.1/24 i ment 127.0.0.1/32 to directly address the host and not a network. Also this is just a stab in the dark. Just aims to get the localhost out of fail2ban. Next on the list would be to find out from where your ssh localhost connection origin from. If you have a listen configuration of sshd its propably on a routable ip address and thus the connection should not origin from 127.0.0.1 but something like 192.168.0.1. Maybe do a ssh -v localhost and see if it prints any ip's. Maybe add some more -v to get more verbose output. Also check netstat -tulpn | grep ssh to see the ports and ip's sshd listens on. Do you have ipv6 in action? Maybe the ssh connection walks this way. Any iptables on ipv6? Can fail2ban work with ipv6? Is it configured? If I may give you a hint: Just some minor improvement to your overall iptables setup would be to get the -m state --state ESTABLISHED,RELATED part as highest as possible. Less rules have to be checked this way. |
Hi,
Some more background information, but I believe it doesn't matter: 1. I'm running Slackware 14.0 and the package was meant for Slackware 14.1 (from http://slackbuilds.org/). 2. I have added file paths-overrides.local with: Code:
[DEFAULT] 3. I have set net.ipv4.conf.all.arp_ignore=1, because there are users on the LAN that sometimes were directed to my host, because my internal network has the same subnet that LAN users sometimes configure on their LAN interfaces (e.g. they have two subnets on single LAN interface and I also have these two subnets but on different interfaces). I hope I'm clear enough;) Quote:
Quote:
Quote:
Quote:
Code:
$ netstat -tulpn | grep ssh 1. When I initiate the ssh to localhost, src port is 54901 and dst port is 22, so no rule in iptables should block it. 2. Then I have reply from src port 22 to dst port 54901 and again no rule should block it, because f2b-sshd rules triggers on dst port 22 and the dst port now is 54901. 3. And then the ssh conversion goes on without problems. Quote:
Quote:
I'm pasting my complete iptables configuration here. If you see something strange, then please let me know: Code:
$IPT -F Another interesting thing. Last time I checked, localhost was unbanned and at the moment it is banned again. And the log: Code:
$ grep "127\|local" /var/log/fail2ban.log* Any ideas? -- Best regards, Andrzej Telszewski |
Points 1, 2, and 3 should not really matter here. Actually I don't know what option 3 does :)
Quote:
Quote:
Quote:
Quote:
Quote:
Best way to find out why localhost is blocked might be to check /var/log/messages with the regex that are within fail2ban configuration files. |
Hi,
Quote:
Have a look here: Preventing ARP flux on Linux Basically, I have two NICs, eth0 and eth1, eth0 is 192.168.1.0/24 and eth1 is 10.20.30.0/24. eth0 is on LAN, eth1 is for my private use. If net.ipv4.conf.all.arp_ignore is set to 0 (default) and ARPs (that is "who has X.X.X.X") made on LAN 192.168.1.0/24, querying about who has something in 10.20.30.0/24, will resolve to my private eth1. And I need to prevent this behavior. Setting net.ipv4.conf.all.arp_ignore to 1 will make my box not to respond to queries about 10.20.30.0/24 (eth1), if they come from 192.168.1.0/24 (eth0). Quote:
Quote:
1. I try to connect to localhost:ssh. 2. f2b-sshd target should be run, because dst port in 1) is ssh. 3. REJECT target of f2b-sshd should be run, because source addr is localhost and localhost is banned. Well, I don't why it does not work. Quote:
Code:
$ grep localhost /var/log/messages* Oh lord, look at this: Code:
$ iptables -nL --line-numbers Code:
$ iptables -L -- Best regards, Andrzej Telszewski |
Check /etc/hosts why 113.175.*.* is treated as localhost.
Quote:
I'm a bit sleepy from lunch I check back later if i spot something more. |
Hi,
Quote:
Code:
127.0.0.1 localhost I did a bit of Wireshark and then: Code:
$ nslookup 113.175.178.110 This reminds of a situation I had some time ago. If I entered non-existent address (I don't remember exactly if it was domain or IP) in the webbrowser I was always redirected to my own localhost server. I wonder if the current situation has anything to do with the old one. Is it possible to protect against this situation? -- Best regards, Andrzej Telszewski |
On me machine it shows the same. Also using internal dns servers and not google ones. Also only with nslookup. With dig I get an emtpy ptr record. strange, strange. Also this would mean that the internal dns stack uses the logic of nslookup. What ever that means (:.
Maybe try to add 113.175... localhost to /etc/hosts. Or better 113.175.. pc-andtel to /etc/hosts. |
Hi,
Quote:
I've been thinking if it would be possible to have some filter rules, looking into the DNS packets and changing them to something like "no such domain". It would happen in 2 cases: 1) you want to check some domain and the reply from the DNS contains 127.0.0.0/8. This would prevent domains other than localhost resolving to 127.0.0.0/8. 2) you want to check some IP and the reply is localhost (like in our discussion). This would prevent IPs other than 127.0.0.0/8 resolving to localhost. -- Best regards, Andrzej Telszewski |
Hi,
Here we go again: Code:
$ nslookup 188.225.76.121 Best regards, Andrzej Telszewski |
If you add your ip with a proper name to /etc/hosts sshd can pick that up and dont need to do an external lookup. Though dont put it in as localhost but the hostname you are using (pc-andtel it is?).
To get rid of the localhost from fail2ban you could add your outward ip to fail2ban ignore file. Just like 127.0.0.1. Or put "UseDNs no" to your sshd_config Quote:
The approach with the filter rules would be huge. Might be easier to install a local dns server like dnsmasq or go big with bind. If you only want to block those dns packages look into the string module of iptables. Quote:
The same for tcp or just leave out -p. To be faster on the search get a dump of an dns lookup and use --from and --to to narrow it down. |
Hi,
Quote:
Quote:
Quote:
Quote:
Code:
$ iptables -nL Thanks for the help! -- Best regards, Andrzej Telszewski |
Looking sideways
Hi,
In my case iptables -L shows localhost, however when iptables is run with -nL it shows an IP: REJECT all -- localhost anywhere reject-with icmp-port-unreachable REJECT all -- localhost anywhere reject-with icmp-port-unreachable REJECT all -- 123.31.34.140 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 123.31.32.9 0.0.0.0/0 reject-with icmp-port-unreachable # nslookup > 123.31.34.140 Server: 8.8.8.8 Address: 8.8.8.8#53 Non-authoritative answer: 140.34.31.123.in-addr.arpa name = localhost. Perhaps they want one to do something silly resulting in ban2fail being stopped ... my 2c. |
All times are GMT -5. The time now is 09:09 PM. |