Fail2Ban vulnerability after reboot

Rick

4/1/23, 3:06 PM

I am very happy with fail2ban for protecting my server except for one issue. After a reboot, each banned ip address is added to iptables one at a time. On one server, I have about 7500 permanently banned ip addresses and that takes a couple of minutes to load. There is a small window of time for those banned ip addresses to get in after each reboot.

How do other people handle this very small vulnerability?

Thanks

0 + 0

iptables

security

networking

fail2ban

Doug Smythies

4/1/23, 3:32 PM

I would move the 7500 permanently banned IP addresses to an ipset list, which is designed for large lists. You can also update the list after the new banned IPs gets to a size that you want to offload it again. Even so, there will still be a slight gap after re-boot. Via ipset I block 5 countries for a total of 21428 IP sub-nets and on my last boot there were 15 INPUT and 42 OUTPUT packets before the iptables rule set finished loading.

Rick

4/1/23, 3:50 PM

Thanks! I like this article a lot, https://www.linuxjournal.com/content/advanced-firewall-configurations-ipset In particular, I like the idea shown of banning all ips that try port 25. Very cool. But I would like to eliminate this window of vulnerability if possible, not just reduce its size. Also, at one point I recorded about 1/2 my attacks coming from the same hosting service that my site is on. I decided that blocking by country was not worth the effort.

Rick

4/1/23, 3:58 PM

Also, https://github.com/ritsu/ipset-fail2ban looks very useful. But still only reducing the size of the window of vulnerability.

Doug Smythies

4/1/23, 4:11 PM

I use a script to load my rather complicated iptables rule set, including my ipsets, after boot. I suppose one could set as the first INPUT chain rule a global DROP, and remove that rule after everything else has been loaded.

Rick

4/1/23, 4:27 PM

This article seems to have what I want. https://dhtar.com/make-ipset-and-iptables-configurations-persistent-in-debianubuntu.html I don't understand why that is not the default.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Fail2Ban vulnerability after reboot

TH: ช่องโหว่ Fail2Ban หลังจากรีบูต

RO: Vulnerabilitatea Fail2Ban după repornire

RU: Уязвимость Fail2Ban после перезагрузки

VI: Lỗ hổng Fail2Ban sau khi khởi động lại

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.