October 14, 2019
fail2ban bans wrong port with iptables
If you created a custom non-SSH action for fail2ban, and while it does get triggered, the offender can still get through, make sure you've used the right iptables ban action. iptables-multiport will work with the ports you specify next to it in your config; if you don't specify any, it reverts to 22 (default SSH). My custom action.d was for Nginx (ports 80 and 443), and the ban essentially didn't work. The key is to use iptables-allports - it will ban the offender completely, regardless of ports, and using it seems to make the most sense anyway.
You can check which port was banned by running iptables -L and looking for the chain name matching your jail name.
Source: https://serverfault.com/a/382891
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment