Hi New on this forum but not new to ispconfig and debian linux. Mostly i can find the issue on the web but this time im stuck. I have added the blacklist to fail2ban. That seems to work. I see the banned ips in de iptables -l list but it doesn't seem to block any of them. Because i still see the requests in the apache access.log files. Manually adding a drop record to iptables doesn't seem to work either. Found something that debian 12 doenst use iptables anymore but you can switch back. sudo update-alternatives --set iptables /usr/sbin/iptables-legacy But didn't make any difference Im running it on a VPS ispconfig 3 with debian 12. Any thoughts on this issue?
Can you share your full iptables ruleset and the output of Code: ls -la /usr/sbin/ip*tables* and Code: ls -la /etc/alternatives/ip*tables* (please use CODE tags through Insert > Code)
Code: Chain INPUT (policy DROP) target prot opt source destination f2b-sshd tcp -- anywhere anywhere multiport dports ssh ufw-before-logging-input all -- anywhere anywhere ufw-before-input all -- anywhere anywhere ufw-after-input all -- anywhere anywhere ufw-after-logging-input all -- anywhere anywhere ufw-reject-input all -- anywhere anywhere ufw-track-input all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination ufw-before-logging-forward all -- anywhere anywhere ufw-before-forward all -- anywhere anywhere ufw-after-forward all -- anywhere anywhere ufw-after-logging-forward all -- anywhere anywhere ufw-reject-forward all -- anywhere anywhere ufw-track-forward all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ufw-before-logging-output all -- anywhere anywhere ufw-before-output all -- anywhere anywhere ufw-after-output all -- anywhere anywhere ufw-after-logging-output all -- anywhere anywhere ufw-reject-output all -- anywhere anywhere ufw-track-output all -- anywhere anywhere Chain f2b-blacklist (0 references) target prot opt source destination RETURN all -- anywhere anywhere Chain f2b-sshd (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain ufw-after-forward (1 references) target prot opt source destination Chain ufw-after-input (1 references) target prot opt source destination ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:microsoft-ds ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootps ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootpc ufw-skip-to-policy-input all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST Chain ufw-after-logging-forward (1 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warn prefix "[UFW BLOCK] " Chain ufw-after-logging-input (1 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warn prefix "[UFW BLOCK] " Chain ufw-after-logging-output (1 references) target prot opt source destination Chain ufw-after-output (1 references) target prot opt source destination Chain ufw-before-forward (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp parameter-problem ACCEPT icmp -- anywhere anywhere icmp echo-request ufw-user-forward all -- anywhere anywhere Chain ufw-before-input (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ufw-logging-deny all -- anywhere anywhere ctstate INVALID DROP all -- anywhere anywhere ctstate INVALID ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp parameter-problem ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc ufw-not-local all -- anywhere anywhere ACCEPT udp -- anywhere mdns.mcast.net udp dpt:mdns ACCEPT udp -- anywhere 239.255.255.250 udp dpt:1900 ufw-user-input all -- anywhere anywhere Chain ufw-before-logging-forward (1 references) target prot opt source destination Chain ufw-before-logging-input (1 references) target prot opt source destination Chain ufw-before-logging-output (1 references) target prot opt source destination Chain ufw-before-output (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ufw-user-output all -- anywhere anywhere Chain ufw-logging-allow (0 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warn prefix "[UFW ALLOW] " Chain ufw-logging-deny (2 references) target prot opt source destination RETURN all -- anywhere anywhere ctstate INVALID limit: avg 3/min burst 10 LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warn prefix "[UFW BLOCK] " Chain ufw-not-local (1 references) target prot opt source destination RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10 DROP all -- anywhere anywhere Chain ufw-reject-forward (1 references) target prot opt source destination Chain ufw-reject-input (1 references) target prot opt source destination Chain ufw-reject-output (1 references) target prot opt source destination Chain ufw-skip-to-policy-forward (0 references) target prot opt source destination DROP all -- anywhere anywhere Chain ufw-skip-to-policy-input (7 references) target prot opt source destination DROP all -- anywhere anywhere Chain ufw-skip-to-policy-output (0 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain ufw-track-forward (1 references) target prot opt source destination Chain ufw-track-input (1 references) target prot opt source destination Chain ufw-track-output (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere ctstate NEW ACCEPT udp -- anywhere anywhere ctstate NEW Chain ufw-user-forward (1 references) target prot opt source destination Chain ufw-user-input (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ftp ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:smtp ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 ACCEPT tcp -- anywhere anywhere tcp dpt:imap2 ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere tcp dpt:submissions ACCEPT tcp -- anywhere anywhere tcp dpt:submission ACCEPT tcp -- anywhere anywhere tcp dpt:imaps ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s ACCEPT tcp -- anywhere anywhere tcp dpt:mysql ACCEPT tcp -- anywhere anywhere tcp dpt:sieve ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt ACCEPT tcp -- anywhere anywhere tcp dpt:tproxy ACCEPT tcp -- anywhere anywhere multiport dports 40110:40210 ACCEPT udp -- anywhere anywhere udp dpt:domain Chain ufw-user-limit (0 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warn prefix "[UFW LIMIT BLOCK] " REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain ufw-user-limit-accept (0 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain ufw-user-logging-forward (0 references) target prot opt source destination Chain ufw-user-logging-input (0 references) target prot opt source destination Chain ufw-user-logging-output (0 references) target prot opt source destination Chain ufw-user-output (1 references) target prot opt source destination Code: lrwxrwxrwx 1 root root 27 Jan 16 2023 /usr/sbin/ip6tables -> /etc/alternatives/ip6tables lrwxrwxrwx 1 root root 14 Jan 16 2023 /usr/sbin/ip6tables-apply -> iptables-apply lrwxrwxrwx 1 root root 20 Jan 16 2023 /usr/sbin/ip6tables-legacy -> xtables-legacy-multi lrwxrwxrwx 1 root root 20 Jan 16 2023 /usr/sbin/ip6tables-legacy-restore -> xtables-legacy-multi lrwxrwxrwx 1 root root 20 Jan 16 2023 /usr/sbin/ip6tables-legacy-save -> xtables-legacy-multi lrwxrwxrwx 1 root root 17 Jan 16 2023 /usr/sbin/ip6tables-nft -> xtables-nft-multi lrwxrwxrwx 1 root root 17 Jan 16 2023 /usr/sbin/ip6tables-nft-restore -> xtables-nft-multi lrwxrwxrwx 1 root root 17 Jan 16 2023 /usr/sbin/ip6tables-nft-save -> xtables-nft-multi lrwxrwxrwx 1 root root 35 Jan 16 2023 /usr/sbin/ip6tables-restore -> /etc/alternatives/ip6tables-restore lrwxrwxrwx 1 root root 17 Jan 16 2023 /usr/sbin/ip6tables-restore-translate -> xtables-nft-multi lrwxrwxrwx 1 root root 32 Jan 16 2023 /usr/sbin/ip6tables-save -> /etc/alternatives/ip6tables-save lrwxrwxrwx 1 root root 17 Jan 16 2023 /usr/sbin/ip6tables-translate -> xtables-nft-multi lrwxrwxrwx 1 root root 26 Jan 16 2023 /usr/sbin/iptables -> /etc/alternatives/iptables -rwxr-xr-x 1 root root 7037 Jan 12 2023 /usr/sbin/iptables-apply lrwxrwxrwx 1 root root 20 Jan 16 2023 /usr/sbin/iptables-legacy -> xtables-legacy-multi lrwxrwxrwx 1 root root 20 Jan 16 2023 /usr/sbin/iptables-legacy-restore -> xtables-legacy-multi lrwxrwxrwx 1 root root 20 Jan 16 2023 /usr/sbin/iptables-legacy-save -> xtables-legacy-multi lrwxrwxrwx 1 root root 17 Jan 16 2023 /usr/sbin/iptables-nft -> xtables-nft-multi lrwxrwxrwx 1 root root 17 Jan 16 2023 /usr/sbin/iptables-nft-restore -> xtables-nft-multi lrwxrwxrwx 1 root root 17 Jan 16 2023 /usr/sbin/iptables-nft-save -> xtables-nft-multi lrwxrwxrwx 1 root root 34 Jan 16 2023 /usr/sbin/iptables-restore -> /etc/alternatives/iptables-restore lrwxrwxrwx 1 root root 17 Jan 16 2023 /usr/sbin/iptables-restore-translate -> xtables-nft-multi lrwxrwxrwx 1 root root 31 Jan 16 2023 /usr/sbin/iptables-save -> /etc/alternatives/iptables-save lrwxrwxrwx 1 root root 17 Jan 16 2023 /usr/sbin/iptables-translate -> xtables-nft-multi Code: lrwxrwxrwx 1 root root 23 Nov 15 15:35 /etc/alternatives/ip6tables -> /usr/sbin/ip6tables-nft lrwxrwxrwx 1 root root 31 Nov 15 15:35 /etc/alternatives/ip6tables-restore -> /usr/sbin/ip6tables-nft-restore lrwxrwxrwx 1 root root 28 Nov 15 15:35 /etc/alternatives/ip6tables-save -> /usr/sbin/ip6tables-nft-save lrwxrwxrwx 1 root root 25 Dec 29 15:13 /etc/alternatives/iptables -> /usr/sbin/iptables-legacy lrwxrwxrwx 1 root root 33 Dec 29 15:13 /etc/alternatives/iptables-restore -> /usr/sbin/iptables-legacy-restore lrwxrwxrwx 1 root root 30 Dec 29 15:13 /etc/alternatives/iptables-save -> /usr/sbin/iptables-legacy-save
That was probably a bad idea. Usually starting fixing by altering default configuration of OS leads to disaster. Maybe as a last resort. There are IP that have DROP in the IP-tables listing. Are you sure they can access your system while the fail2ban banning is in effect? Note the ban only lasts 10 minutes by default. Consider enabling recidive jail if you want long bans for repeat offenders. What is in fail2ban log about those IP-numbers? Examine for example with Code: grep 218.92.0.76 /var/log/fail2ban.log I find it hard to believe iptables would not work, it is Linux kernel that does the firewalling so it not working is rare. Maybe look for those IP-numbers in other logs while the ban is in effect, can they really access your host then?
[/QUOTE] I rewinded the iptables change with sudo update-alternatives --set iptables /usr/sbin/iptables-nft wiki.debian.org/iptables and did a restore from a previous safe & fail2ban restart. Status is running without errors For example a http request from xx.xx.xx.xx Code: fail2ban-client set blacklist banip xx.xx.xx.xx sudo grep xx.xx.xx.xx /var/log/fail2ban.log 2024-01-02 15:59:14,481 fail2ban.actions [1053615]: NOTICE [blacklist] Ban xx.xx.xx.xx Code: sudo grep 8xx.xx.xx.xx /var/www/clients/client0/web1/log/access.log xx.xx.xx.xx - - [02/Jan/2024:16:01:55 +0100] "GET /bruggen/alblasserdamsebrug-alblasserdam HTTP/1.1" 403 529 "-" "HomeAssistant/2023.12.4 httpx/0.25.0 Python/3.11" xx.xx.xx.xx - - [02/Jan/2024:16:03:35 +0100] "GET /bruggen/alblasserdamsebrug-alblasserdam HTTP/1.1" 403 529 "-" "HomeAssistant/2023.12.4 httpx/0.25.0 Python/3.11" xx.xx.xx.xx - - [02/Jan/2024:16:05:15 +0100] "GET /bruggen/alblasserdamsebrug-alblasserdam HTTP/1.1" 403 529 "-" "HomeAssistant/2023.12.4 httpx/0.25.0 Python/3.11" xx.xx.xx.xx - - [02/Jan/2024:16:06:55 +0100] "GET /bruggen/alblasserdamsebrug-alblasserdam HTTP/1.1" 403 529 "-" "HomeAssistant/2023.12.4 httpx/0.25.0 Python/3.11" btw the 403 from is .htacces blocked at the moment. I would expect none access logs from a banned ip while the ban is active, right? jail.local Code: [blacklist] enabled = true logpath = /var/log/fail2ban.* filter = blacklist banaction = blacklist bantime = 31536000 ; 1 year findtime = 31536000 ; 1 year maxretry = 10 the fail2ban filter.d/blacklist.conf and action.d/blacklist.conf are stock github /mitchellkrogza/Fail2Ban-Blacklist-JAIL-for-Repeat-Offenders-with-Perma-Extended-Banning
Have you tried removing that blacklist jail, and enabling recidive jail? Recidive jail comes with fail2ban distribution, so not installing extra jails from somewhere might make things work better. That blacklist jail code is 5 years old, so much more likely to not work that claiming iptables is not working. Right. Since the IP still accesses the host, it shows the blacklist jail did not succeed in setting the ban. Did you check what got entered in iptables when you did set blacklist banip?
Looks like the rules are added correct. Code: Chain f2b-blacklist (0 references) target prot opt source destination DROP all -- xx.xx.xx.xx.cable.dynamic.v4.ziggo.nl anywhere DROP all -- xx.xx.xx.xx.ftth.glasoperator.nl anywhere RETURN all -- anywhere anywhere Does the 0 references cause a issue?
Code: Chain f2b-recidive (1 references) pkts bytes target prot opt in out source destination 0 0 REJECT all -- any any xx.xx.xx.xx.ftth.glasoperator.nl anywhere reject-with icmp-port-unreachable 0 0 REJECT all -- any any xx.xx.xx.xx.cable.dynamic.v4.ziggo.nl anywhere reject-with icmp-port-unreachable 8350 2467K RETURN all -- any any anywhere anywhere It doesnt make sense to me. Thinking, im going to do a reinstall on VMware to see if something is messed up..
I found the problem. My VPS is behind a HA-IP server. Tested on a other ip with a custom hosts record to the actual ip. And it worked.
