I've recently decided to do some security maintenance. I saw my logs, and there were some tries against my SSH server. At first, I moved away the SSH port from the default 22. After it, I read something about Fail2ban, BlockHosts and DenyHosts.
I took a look at the first: it is simple to configure, everything is understandable; but when I tried to "probe its protection", the tests are failed. Everything seems to be good, but I can still access the server.
I also tested the IPtables: # iptables -I INPUT -j DROP – after that my SSH connection was lost (so, what I wanted). Then # iptables -I INPUT -s 84.x.y.z -j DROP, which worked too.
But, what rules did the Fail2ban do, that doesn't work: ($ sudo iptables -L)
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-apache tcp -- anywhere anywhere multiport dports www,https
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
fail2ban-ssh-ddos tcp -- anywhere anywhere multiport dports ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-apache (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-ssh (1 references)
target prot opt source destination
DROP all -- 84.x.y.z anywhere
RETURN all -- anywhere anywhere
Chain fail2ban-ssh-ddos (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Kernel modules loaded: ($ lsmod | grep ip)
iptable_nat 4680 0
nf_nat 15576 1 iptable_nat
nf_conntrack_ipv4 12268 3 iptable_nat,nf_nat
nf_conntrack 55540 4 xt_state,iptable_nat,nf_nat,nf_conntrack_ipv4
xt_multiport 2816 2
iptable_filter 2624 1
ip_tables 10160 2 iptable_nat,iptable_filter
x_tables 13284 5 xt_state,xt_tcpudp,iptable_nat,xt_multiport,ip_tables
ipv6 235396 24
Versions:
- Debian Lenny 5.06, kernel 2.6.26-2-686
- IPtables 1.4.2-6
- Fail2ban 0.8.3-2sid1
openssh-server1:5.1p1-5
Test #1 step by step:
- Configure Fail2ban to low bantime. 60 secs. Then reload.
- Attempt to login (with SSH), directly with wrong passwd.
- For the 6th time enter the correct passwd (max tries is only 4 here). I logged in. I can also access the web page hosted by that server.
iptables -Lshown me as its mentioned above. So the ban was active, when I connected, commanded my server.
Test #2 step by step:
- Stop Fail2ban. Create an
atscript, to remove the below wrote ban rule in the future. (iptables -D INPUT 1) - Create a ban rule:
iptables -I INPUT 1 -s 84.x.y.z -j DROP - I couldn't type in anything else, the SSH connection is unuseable. I couldn't access the web page. So, what I wanted from iptables.
- After the
atscript, I can access my server.
I don't see the solution, what should I do to make my IPtables ban (made by Fail2ban) work?
Best Answer
I found the problem, what I did, before installing fail2ban. Sorry for your time.
For security reason, I moved away my sshd from port 22 to an other. The reference in
iptablesrefers to port 22 only. I thought, that it is a variable, what always refers to the current sshd port. But NOT.The exact solution (if you moved away your daemon from its original port):
portsection to all. Example:port = allbanactionline after the port line, with value iptables-allports. Example:banaction = iptables-allports.# service fail2ban restart.I couldn't find solution for change the
port sshdirective, or write there a number. If you have a non-all-ports solution, I'll listen it!