please give some votes up to the author! 😉
Got this sh*t on my error logs…
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports http,https -m set --match-set fail2ban-apache-fakegooglebot src -j REJECT --reject-with icmp-port-unreachable -- killed with signal 124 (return code: 252) 2017-07-08 21:26:11,212 fail2ban.actions : ERROR Failed to start jail 'apache-fakegooglebot' action 'firewallcmd-ipset': Error starting action 2017-07-08 21:26:11,416 fail2ban.action : ERROR ipset create fail2ban-apache-modsecurity hash:ip timeout 6000 firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports http,https -m set --match-set fail2ban-apache-modsecurity src -j REJECT --reject-with icmp-port-unreachable -- stdout: ''
Solution? Let’s set banaction to iptables! 🙂
# Override /etc/fail2ban/jail.d/00-firewalld.conf: banaction = iptables-multiport
I realized that fail2ban wasn’t banning SSH fail login attempts…
My server’s time is different from the one being logged by rsyslog ’cause I had to change my timezones once…….. 🙂
Lets restart rsyslog.
sudo service rsyslog restart
Today I was watching my fail2ban logs, on one of my servers and found a DigitalOcean ip trying to brute force via SSH.
2015-10-18 18:08:07,471 fail2ban.actions: WARNING [ssh] Ban 184.108.40.206
inetnum: 220.127.116.11 - 18.104.22.168 netname: EU-DIGITALOCEAN-DE1 descr: Digital Ocean, Inc. country: DE org: ORG-DOI2-RIPE admin-c: BU332-RIPE tech-c: BU332-RIPE status: ASSIGNED PA mnt-by: digitalocean mnt-lower: digitalocean mnt-routes: digitalocean mnt-domains: digitalocean created: 2015-06-03T01:15:35Z last-modified: 2015-06-03T01:15:35Z source: RIPE # Filtered
Since, I have 3 droplets @ digitalocean, decided to use their support to see what will they do about it…
Remove an IP address from the banned SSH list
sudo iptables -D fail2ban-ssh -s banned_ip -j DROP
Remove an IP address from the banned FTP list
sudo iptables -D fail2ban-pure-ftpd -s banned_ip -j DROP
Check if IP address is blocked:
iptables -L -n --line | grep [IP_Address]
If IP address appear as DROP or REJECT, it is blocked.
Unblock IP address from incoming connections
iptables -I INPUT -s [IP_Address] -j ACCEPT
Block IP address from incoming connections
# iptables -A INPUT -s [IP_Address] -j DROP