Fail2ban Banned but does not create a rule in ufw and iptables

Discussion in 'HOWTO-Related Questions' started by Matz Sor, Jan 19, 2025.

  1. Matz Sor

    Matz Sor New Member

    I can't understand what could be happening, I need help from friends.
    apparently no error in operation, but it is not creating the rules in the firewall

    fail2ban.observer [16728]: INFO [sshd] Found ***.***.***.***, bad - 2025-01-19 04:02:42, 1 # -> 2.0
    2025-01-19 04:02:42,817 fail2ban.actions [16728]: WARNING [sshd] ***.***.***.*** already banned

    I run the iptables commands:
    iptables -L -v -n
    ufw status
    fail2ban-client status postfix

    my jail.local looks like this:
    [DEFAULT]
    ignoreip = 127.0.0.1 ::1 187.34.46.110
    findtime = 86400
    maxretry = 3
    destemail = [email protected]
    sender = root
    sendername = Fail2ban
    backend = polling
    bantime = 6048000
    bantime.increment = true
    bantime.factor = 2

    [postfix]
    enabled = true
    port = smtp,465,587,submission
    filter = postfix[mode=aggressive]
    logpath = %(postfix_log)s
    backend = %(postfix_backend)s
    action = %(action_mwl)s %(action_abuseipdb)s[abuseipdb_category="7,10,11,15,17,18,19"]
    banaction = %(banaction_allports)s
     
    Last edited: Jan 19, 2025
  2. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    fail2ban quite clearly states that the affected jail is sshd

    yet you're checking the status of the postfix jail to see if the ip is banned.

    try
    Code:
    fail2ban-client  banned
    
    to list all banned ip's in all jails.
     
    till likes this.
  3. Matz Sor

    Matz Sor New Member

    This works too, but I always check through Ispconfig, in Monitor -> display Fail2ban log I copy the last Banned IP, go to Monitor -> Display Firewall Rules and search for the Banned IP, if it is not in the list of rules, it was not there created rules
     
    Last edited: Jan 19, 2025
  4. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    don't know if you're using ubuntu, debian or something else, or how recent a version, but maybe it's using nftables instead.

    try
    Code:
    nft list ruleset
    
    on mine (ubuntu 24.04), it includes a table for all the fail2ban rules... with sets for each jail with the currently blocked ips (ip4 and ip6 have their own sets), and a chain at the end for what to do with each set.

    Code:
    table inet f2b-table {
        set addr-set-sshd {
            type ipv4_addr
            elements = { 120.131.12.238, 138.197.0.110 }
        }
    
        set addr-set-apache-badbots {
            type ipv4_addr
            elements = { 3.94.156.104, 3.214.176.44,
                     4.227.36.29, 4.227.36.37,
                     4.227.36.90, 18.207.89.138,
                     35.173.18.61, 47.128.17.157,
                     47.128.18.138, 47.128.22.110,
                     47.128.22.163, 47.128.27.84,
                     47.128.29.151, 47.128.33.87,
                     47.128.33.143, 47.128.35.248,
                     47.128.37.32, 47.128.45.81,
                     47.128.47.161, 47.128.49.135,
                     47.128.60.62, 47.128.96.102,
                     47.128.98.220, 47.128.115.59,
                     47.128.118.135, 47.128.122.31,
                     47.128.127.201, 52.3.102.51,
                     52.5.232.250, 52.207.47.227,
                     54.83.23.103, 54.162.69.192,
                     81.17.57.144, 85.208.96.199,
                     85.208.96.200, 85.208.96.201,
                     85.208.96.209, 114.119.146.15,
                     185.191.171.1, 185.191.171.6,
                     185.191.171.8, 185.191.171.10,
                     185.191.171.11, 185.191.171.12,
                     185.191.171.13, 185.191.171.14,
                     185.191.171.16, 192.99.3.137,
                     195.191.219.130, 195.191.219.131,
                     202.8.40.204, 217.113.194.30,
                     217.113.194.222, 217.113.194.230 }
        }
    
        set addr-set-wp-login {
            type ipv4_addr
            elements = { 65.254.93.245 }
        }
    
        set addr6-set-apache-badbots {
            type ipv6_addr
            elements = { 2602:ffe4:8:1001::5,
                     2a03:ee40:8080:15::130,
                     2a0d:3002:2100:a026:1::112 }
        }
    
        set addr6-set-sshd {
            type ipv6_addr
        }
    
        set addr-set-xmlrpc {
            type ipv4_addr
            elements = { 43.205.96.146, 194.26.192.14 }
        }
    
        set addr-set-4xx {
            type ipv4_addr
        }
    
        set addr6-set-xmlrpc {
            type ipv6_addr
        }
    
        set addr6-set-4xx {
            type ipv6_addr
        }
    
        set addr6-set-wp-login {
            type ipv6_addr
        }
    
        chain f2b-chain {
            type filter hook input priority filter - 1; policy accept;
            tcp dport 22 ip saddr @addr-set-sshd reject with icmp port-unreachable
            tcp dport { 80, 443 } ip saddr @addr-set-apache-badbots reject with icmp port-unreachable
            tcp dport { 80, 443 } ip saddr @addr-set-wp-login reject with icmp port-unreachable
            tcp dport { 80, 443 } ip6 saddr @addr6-set-apache-badbots reject with icmpv6 port-unreachable
            tcp dport 22 ip6 saddr @addr6-set-sshd reject with icmpv6 port-unreachable
            tcp dport { 80, 443 } ip saddr @addr-set-xmlrpc reject with icmp port-unreachable
            tcp dport { 80, 443 } ip saddr @addr-set-4xx reject with icmp port-unreachable
            tcp dport { 80, 443 } ip6 saddr @addr6-set-xmlrpc reject with icmpv6 port-unreachable
            tcp dport { 80, 443 } ip6 saddr @addr6-set-4xx reject with icmpv6 port-unreachable
            tcp dport { 80, 443 } ip6 saddr @addr6-set-wp-login reject with icmpv6 port-unreachable
        }
    
     
    till likes this.
  5. variable99

    variable99 Member

    A bit more verbose command:

    Code:
    fail2ban-client status|awk -F: '/Jail list:/ { split($2,jail,",") ; for (i in jail) { gsub(/[\t ]/,"",jail[i]); system("fail2ban-client status "jail[i]); }; }'
     
    Matz Sor likes this.
  6. Matz Sor

    Matz Sor New Member

    That's really useful, thank you so much!
     
  7. Matz Sor

    Matz Sor New Member

    thank you so much!
     

Share This Page