Join Log in
Score:2
avatar Server

fail2ban does not use DROP blocktype

cn flag
nagylzs

Using Ubuntu 20.04 LTS, I have this in /etc/fail2ban/jail.local:

[DEFAULT]
bantime   = 3600
banaction = iptables
blocktype = drop


[sshd]
enabled   = true
protocol  = tcp
port      = ssh
filter    = sshd
logpath   = /var/log/auth.log
maxretry  = 3

But this is what I see when I list iptables rules:

╰─# iptables -L f2b-sshd -n -v
Chain f2b-sshd (1 references)
 pkts bytes target     prot opt in     out     source               destination
   13  1356 REJECT     all  --  *      *       222.187.232.205      0.0.0.0/0            reject-with icmp-port-unreachable
   18  1516 REJECT     all  --  *      *       221.181.185.153      0.0.0.0/0            reject-with icmp-port-unreachable
   17  1064 REJECT     all  --  *      *       222.186.180.130      0.0.0.0/0                  777 55854 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

The problem is that it uses REJECT (with ICMP) instead of DROP.

The action.d/iptables.conf contains this:

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>

It is the default iptables action file, shipped with the official fail2ban apt package for this OS version.

Also tried to add "blocktype=drop" under [sshd] but it has no effect.

I'm not sure how to debug this, because the fail2ban service does not log the actual iptables commands.

What am I missing?

1062
2 + 3
jp flag
Dom
You should set the DROP in action.d/iptables-common.conf, blocktype
0
Reply
cn flag
nagylzs
There are two problems with that. The first one is that is a global configuration. Then I won't be able to set different blocktypes for different filters. The second problem is that iptables-common.conf is part of the fail2ban package. If I change that, and later a new version of fail2ban comes out, then it will be overwritten. I won't even notice. Or maybe it won't be overwritten, and that might break the iptables action alltogether.
0
Reply
jp flag
Dom
You can then use : action = iptables-multiport[blocktype="DROP", port="22,2222", name=sshd], set in you [sshd] section
1
Reply
Score:1
sebres avatar Server
il flag
sebres

To supply some parameter to the action of single jail, you must set action with all parameters (also normally supplied in default section of jail.conf) or in case of banning action you could use something like that:

[some_jail]
banaction = %(known/banaction)s[blocktype=DROP]

As regards the theme DROP vs. REJECT, the discussion is so old as the net-filter subsystem itself, with many pros/cons for both sides.
Related to banning concerns, see https://github.com/fail2ban/fail2ban/issues/2217#issuecomment-423248516 for details.

0 + 1
cn flag
nagylzs
Yes, I agree with DROP vs REJECT. I have some filters that are used for DNS amplification attacks. For those, DROP is better (because the requests have spoofed source addresses, so sending back ICMP reject actually helps the attacker...)
0
Reply
Score:0
avatar Server
cn flag
nagylzs

I have accepted solution of @sebres but I would like to add some gotchas.

For iptables-allports banaction, the reject blocktype can have spaces inside. You need to quote that.

Example:

[sshd]
banaction=iptables_allports[blocktype="REJECT --reject-with icmp-port-unreachable"]

Second interesting thing: both the banaction and the jail config have a parameter called "protocol". I was first confused when the configuration below was not throwing any errors, but it did not block UDP requests:

[named-ddos]
banaction=iptables_allports[blocktype=DROP,protocol=all]

It happened because I was missing the protocol=all setting from the jail. You need to specify protocol=all at the jail level:

[named-ddos]
banaction=iptables_allports[blocktype=DROP,protocol=all]
protocol=all

The reason for this is that the named-ddos section creates a new chain in iptables, and the banned ips are creating rules inside that chain. If you don't specify protocol=all at the jail level, then the chain will be defined like this:

Chain INPUT (policy DROP 22 packets, 952 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1371  229K named-ddos  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0

It is true, that the banaction will create rules with proto=all inside the chain, but the chain itself won't be used for non-tcp packets. The conclusion is that you need to specify protocol=all in both the jail level and in the banaction (if it supports it), otherwise it won't work.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.