# fail2ban / iptables question [!Solved]

## gr0x0rd

I've been watching bots and script kids hammer my ssh and ftp ports via conky for ages. I finally changed my ssh port to something other than the default, and since then I haven't had a problem with ssh. However, I can't change my default ftp port based on some of the functions is has to serve. So rather than monitor and ban IPs manually, I decided to do some research and found fail2ban: awesome.

After configging the jail for ssh and pure-ftpd, I decided to take the system through a little test. I ssh'd into a dev server and started a brute force attack on my machine. After 12 attempts, I was still able to reach it. Using nx over a different network connection, I saw that I received an email from fail2ban saying that the IP doing the hammering had been banned after 5 attempts: excellent! However, I was still able to hammer the machine after receiving the message. Finally, I ssh'd in with legit credentials, and was able to log in! It appears I have created an illusion of security, which isn't what I want for Christmas  :Smile: 

Here is the relevant section of my jail.local:

```
[ssh-iptables]

enabled  = true

filter   = sshd

action   = iptables[name=SSH, port=ssh, protocol=tcp]

           sendmail[name=SSH, dest=myemail@host.com, sender=fail2ban@myserver]

logpath  = /var/log/messages

maxretry = 5
```

After the ban, here is the relevant section of iptables --list:

```
Chain fail2ban-SSH (1 references)

target     prot opt source               destination         

DROP       all  --  ipiwasusing.host.com  anywhere            

RETURN     all  --  anywhere             anywhere
```

This all looks correct, but I'm still able to brute force from that IP AND log in to the target machine! What am I missing here? I thought it might have to do with me changing the ssh port, but the fact that fail2ban detected the breakin and iptables has "all" listed for the prot (hehe) for that ip instance tells me that can't be it. 

Any security gurus out there with some tips for me? I'd like to get the ssh angle solidified before I start locking down ftp and apache.

Enjoy the holidays.

----------

## Hu

Is that rule actually referenced anywhere?  What is the output of iptables-save -c when a host has been banned?

----------

## keyson

Hi,

Have you changed port for ssh?

You have ssh as port in the config so it should only stop the original port to be accessed.

Is the dpt right in the fail2ban-SSH chain for the port that you use.

 *Quote:*   

> 
> 
> fail2ban-SSH  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22
> 
> 

 

If you run ssh on another port, you have to change this.

----------

## gr0x0rd

Hey guys,

Yes, I have changed the port for SSH- but, if someone has been clever to sniff out that port, I really don't care about banning them on that port only, I want them blocked on all ports. This

```
[ssh-iptables]

enabled  = true

filter   = sshd

action   = iptables-allports[name=SSH, protocol=all]

           sendmail-whois[name=SSH, dest=myemail@host.com, sender=fail2ban@myserver]

logpath  = /var/log/messages

maxretry = 5

#bantime=600
```

did the trick. If I start feeling lucky, I can always uncomment the bantime line.  :Smile: 

What a great tool, thanks for the help!

EDIT 15:45 PST 09-12-25:

Perhaps I jumped the gun here. After a successful test of ssh, I enabled fail2ban for my pure-ftpd server. Here's my jail.local:

```
[pure-ftpd-iptables]

enabled  = true

filter   = pure-ftpd

action   = iptables-allports[name=Pure-FTPD, protocol=all]

           sendmail-whois[name=Pure-FTPD, dest=myemail@host.com, sender=fail2ban@myserver]

logpath  = /var/log/messages

maxretry = 5
```

I relaxed and had a good long restful sleep, despite severe self-induced dehydration and nightmares of being chased by hordes of flat-chested women wearing Calgary Flames jerseys. When I awoke this morning, I found 52 messages from fail2ban! I was disappointed only when I saw that the messages all claimed to have banned the same ip! So, 

$ sudo iptables --list

```
Chain fail2ban-Pure-FTPD (1 references)

target     prot opt source               destination         

DROP       all  --  host0521.cammail.net  anywhere            

RETURN     all  --  anywhere             anywhere  
```

Looks ok... so here's an excerpt of /var/log/messages...

```
Dec 25 16:01:13 teletran4 pure-ftpd: (?@mail.campusmailuk.com) [INFO] New connection from mail.campusmailuk.com

Dec 25 16:01:14 teletran4 pure-ftpd: (?@mail.campusmailuk.com) [WARNING] Authentication failed for user [Administrator]

Dec 25 16:01:18 teletran4 pure-ftpd: (?@mail.campusmailuk.com) [WARNING] Authentication failed for user [Administrator]

Dec 25 16:01:27 teletran4 pure-ftpd: (?@mail.campusmailuk.com) [WARNING] Authentication failed for user [Administrator]

Dec 25 16:01:37 teletran4 pure-ftpd: (?@mail.campusmailuk.com) [WARNING] Authentication failed for user [Administrator]

Dec 25 16:01:51 teletran4 pure-ftpd: (?@mail.campusmailuk.com) [WARNING] Authentication failed for user [Administrator]

Dec 25 16:01:58 teletran4 pure-ftpd: (?@mail.campusmailuk.com) [ERROR] Too many authentication failures
```

FFS, no wonder I am getting all these emails, the little prick is still at it! After a ping, mail.campusmailuk.com resolves to 80.248.180.173. host0521.cammail.net resolves to 80.248.180.172: maybe that's it... 

$ sudo iptables -I INPUT -s 80.248.180.173 -j DROP

$ sudo iptables --list

```
Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

DROP       all  --  host0521.cammail.net  anywhere            

DROP       all  --  host0520.cammail.net  anywhere            

fail2ban-Pure-FTPD  all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination         

Chain fail2ban-Pure-FTPD (1 references)

target     prot opt source               destination         

DROP       all  --  host0521.cammail.net  anywhere            

RETURN     all  --  anywhere             anywhere            

Chain fail2ban-SSH (0 references)

target     prot opt source               destination         

RETURN     all  --  anywhere             anywhere 
```

 That 's got to be it. 

$ sudo tail -10 /var/log/messages

```
Dec 25 16:08:30 teletran4 pure-ftpd: (?@mail.campusmailuk.com) [INFO] New connection from mail.campusmailuk.com

Dec 25 16:08:31 teletran4 pure-ftpd: (?@mail.campusmailuk.com) [WARNING] Authentication failed for user [Administrator]

Dec 25 16:08:36 teletran4 pure-ftpd: (?@mail.campusmailuk.com) [WARNING] Authentication failed for user [Administrator]

Dec 25 16:08:43 teletran4 pure-ftpd: (?@mail.campusmailuk.com) [WARNING] Authentication failed for user [Administrator]

Dec 25 16:08:52 teletran4 pure-ftpd: (?@mail.campusmailuk.com) [WARNING] Authentication failed for user [Administrator]

Dec 25 16:09:07 teletran4 pure-ftpd: (?@mail.campusmailuk.com) [WARNING] Authentication failed for user [Administrator]

Dec 25 16:09:22 teletran4 pure-ftpd: (?@mail.campusmailuk.com) [ERROR] Too many authentication failures
```

%$@&#*#(!!!!!! How is this wanker still getting through?

----------

## gr0x0rd

After issuing

```
iptables -A INPUT -s 80.248.180.0/24 -j DROP
```

I am finally rid of this limey. What news of the colonies indeed.

Is this a bug in fail2ban, or some sort of ip masking? Has anyone ran into anything like this before?

Finally some peace. Time for some Ho-Ho-Ho.

----------

## d2_racing

About your ssh attack, did you try this trick ?

```

iptables -A INPUT -p tcp -s 0/0 --destination-port 22 -m state --state NEW -m recent --set

iptables -A INPUT -p tcp -s 0/0 --destination-port 22 -m state --state NEW -m recent --update --seconds 600 --hitcount 10 -j DROP

```

This will ban for 10 minutes the ip that is trying to attack your ssh server.

You can do that with your ftp server too

```

iptables -A INPUT -p tcp -s 0/0 --destination-port 21 -m state --state NEW -m recent --set

iptables -A INPUT -p tcp -s 0/0 --destination-port 21 -m state --state NEW -m recent --update --seconds 600 --hitcount 10 -j DROP

```

----------

## gr0x0rd

Thanks! Next time I have an attack that fail2ban fails to... ban, I'll give this a shot! Joyeux Noel mon frere.

----------

## d2_racing

Toi aussi  :Razz: 

----------

