Hi Harrison, Here is the output for "iptables -L". FWIW, Centos 7 uses firewalld.
Thanks, Ted Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere INPUT_direct all -- anywhere anywhere INPUT_ZONES_SOURCE all -- anywhere anywhere INPUT_ZONES all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere FORWARD_direct all -- anywhere anywhere FORWARD_IN_ZONES_SOURCE all -- anywhere anywhere FORWARD_IN_ZONES all -- anywhere anywhere FORWARD_OUT_ZONES_SOURCE all -- anywhere anywhere FORWARD_OUT_ZONES all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination OUTPUT_direct all -- anywhere anywhere Chain FORWARD_IN_ZONES (1 references) target prot opt source destination FWDI_public all -- anywhere anywhere [goto] FWDI_public all -- anywhere anywhere [goto] Chain FORWARD_IN_ZONES_SOURCE (1 references) target prot opt source destination Chain FORWARD_OUT_ZONES (1 references) target prot opt source destination FWDO_public all -- anywhere anywhere [goto] FWDO_public all -- anywhere anywhere [goto] Chain FORWARD_OUT_ZONES_SOURCE (1 references) target prot opt source destination Chain FORWARD_direct (1 references) target prot opt source destination Chain FWDI_public (2 references) target prot opt source destination FWDI_public_log all -- anywhere anywhere FWDI_public_deny all -- anywhere anywhere FWDI_public_allow all -- anywhere anywhere Chain FWDI_public_allow (1 references) target prot opt source destination Chain FWDI_public_deny (1 references) target prot opt source destination Chain FWDI_public_log (1 references) target prot opt source destination Chain FWDO_public (2 references) target prot opt source destination FWDO_public_log all -- anywhere anywhere FWDO_public_deny all -- anywhere anywhere FWDO_public_allow all -- anywhere anywhere Chain FWDO_public_allow (1 references) target prot opt source destination Chain FWDO_public_deny (1 references) target prot opt source destination Chain FWDO_public_log (1 references) target prot opt source destination Chain INPUT_ZONES (1 references) target prot opt source destination IN_public all -- anywhere anywhere [goto] IN_public all -- anywhere anywhere [goto] Chain INPUT_ZONES_SOURCE (1 references) target prot opt source destination Chain INPUT_direct (1 references) target prot opt source destination REJECT tcp -- anywhere anywhere multiport dports ssh match-set fail2ban-default src reject-with icmp-port-unreachable Chain IN_public (2 references) target prot opt source destination IN_public_log all -- anywhere anywhere IN_public_deny all -- anywhere anywhere IN_public_allow all -- anywhere anywhere Chain IN_public_allow (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:submission ctstate NEW ACCEPT tcp -- anywhere anywhere tcp dpt:smtp ctstate NEW ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW ACCEPT tcp -- anywhere anywhere tcp dpt:imaps ctstate NEW Chain IN_public_deny (1 references) target prot opt source destination Chain IN_public_log (1 references) target prot opt source destination Chain OUTPUT_direct (1 references) target prot opt source destination > Ted, > You might have a look at you iptables filter table to see if you are > jumping to the chain correctly. Fail2ban does a pretty good job of > putting the rules in the filter, but you still might have a rule like a > default accept that is allowing the connection before the jail > drops/rejects it. On 06/14/2015 01:33 PM, Arch Architecht wrote: > I would check on iptables' order as Harrison said. I did mess around > with my bantimes since some hosts have some sort of "intelligent" > scanner which tries a few hrs after they are banned or they come back a > few days later. My personal bantime is 1234564890 which is long enough > for me :D > > In any case, post an output of your iptables -L or your saved iptables > from /etc/sysconfig. I use centos 6 so your file may be elsewhere. > > Regards, > Arch > > On Jun 14, 2015 7:26 PM, "Ted To" <[email protected] > <mailto:[email protected]>> wrote: > > Hi Arch, > > I null routed that IP address and within a few seconds, another IP > address started hitting me. I null routed that IP and it seems to > have stopped for the moment. With the exception of specifying a > destemail address in jail.local, my configuration is the default > Centos 7 epel config with the addition of the jail.d/sshd.local > file > I posted. > > Why would changing the bantime and findtime affect this behavior? > (Just trying to understand.) > > Thanks, > Ted > > On 2015-06-14 12:02 pm, Arch Architecht wrote: > > I would null route the ip and check my configs again. You may > need to > change your bantime and findtime. > > Regards, > > Arch > On Jun 14, 2015 5:56 PM, "Ted To" <[email protected] > <mailto:[email protected]>> wrote: > > Hi, > > I have a Centos 7 installation where an IP address that has > been > banned > appears to be able to continue to attempt ssh connections. > My > sshd.local is: > > [sshd] > enabled = true > bantime = 86400 > findtime = 3600 > maxretry = 3 > protocol = all > > Despite this, I am currently being continuously hit by > 43.255.188.169 > (log snippets follow). > > Any ideas what I have done wrong? > > Thanks, > Ted > > 2015-06-14 11:33:46,545 fail2ban.filter [28524]: INFO > [sshd] > Found 43.255.188.169 > 2015-06-14 11:33:48,350 fail2ban.filter [28524]: INFO > [sshd] > Found 43.255.188.169 > 2015-06-14 11:33:50,421 fail2ban.filter [28524]: INFO > [sshd] > Found 43.255.188.169 > 2015-06-14 11:33:51,086 fail2ban.actions [28524]: NOTICE > [sshd] > 43.255.188.169 already banned > 2015-06-14 11:33:53,104 fail2ban.filter [28524]: INFO > [sshd] > Found 43.255.188.169 > 2015-06-14 11:33:53,734 fail2ban.filter [28524]: INFO > [sshd] > Found 43.255.188.169 > 2015-06-14 11:33:55,499 fail2ban.filter [28524]: INFO > [sshd] > Found 43.255.188.169 > 2015-06-14 11:33:56,092 fail2ban.actions [28524]: NOTICE > [sshd] > 43.255.188.169 already banned > 2015-06-14 11:33:57,530 fail2ban.filter [28524]: INFO > [sshd] > Found 43.255.188.169 > 2015-06-14 11:34:00,508 fail2ban.filter [28524]: INFO > [sshd] > Found 43.255.188.169 > 2015-06-14 11:34:01,130 fail2ban.filter [28524]: INFO > [sshd] > Found 43.255.188.169 > 2015-06-14 11:34:02,100 fail2ban.actions [28524]: NOTICE > [sshd] > 43.255.188.169 already banned > > and > > Jun 14 11:36:25 kahlo sshd[28890]: pam_unix(sshd:auth): > authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=43.255.188.169 > user=root > Jun 14 11:36:27 kahlo sshd[28890]: Failed password for > invalid user > root > from 43.255.188.169 port 52618 ssh2 > Jun 14 11:36:29 kahlo sshd[28890]: Failed password for > invalid user > root > from 43.255.188.169 port 52618 ssh2 > Jun 14 11:36:31 kahlo sshd[28890]: Failed password for > invalid user > root > from 43.255.188.169 port 52618 ssh2 > Jun 14 11:36:31 kahlo sshd[28890]: Received disconnect from > 43.255.188.169 [1]: 11: [preauth] > Jun 14 11:36:31 kahlo sshd[28890]: PAM 2 more > authentication > failures; > logname= uid=0 euid=0 tty=ssh ruser= rhost=43.255.188.169 > user=root > Jun 14 11:36:32 kahlo sshd[28892]: User root from > 43.255.188.169 > not > allowed because not listed in AllowUsers > Jun 14 11:36:32 kahlo sshd[28892]: pam_unix(sshd:auth): > authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=43.255.188.169 > user=root > Jun 14 11:36:34 kahlo sshd[28892]: Failed password for > invalid user > root > from 43.255.188.169 port 38784 ssh2 > Jun 14 11:36:36 kahlo sshd[28892]: Failed password for > invalid user > root > from 43.255.188.169 port 38784 ssh2 > Jun 14 11:36:37 kahlo sshd[28892]: Failed password for > invalid user > root > from 43.255.188.169 port 38784 ssh2 > Jun 14 11:36:37 kahlo sshd[28892]: Received disconnect from > 43.255.188.169 [1]: 11: [preauth] > Jun 14 11:36:37 kahlo sshd[28892]: PAM 2 more > authentication > failures; > logname= uid=0 euid=0 tty=ssh ruser= rhost=43.255.188.169 > user=root > Jun 14 11:36:38 kahlo sshd[28894]: User root from > 43.255.188.169 > not > allowed because not listed in AllowUsers > Jun 14 11:36:38 kahlo sshd[28894]: pam_unix(sshd:auth): > authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=43.255.188.169 > user=root > Jun 14 11:36:40 kahlo sshd[28894]: Failed password for > invalid user > root > from 43.255.188.169 port 53258 ssh2 > Jun 14 11:36:42 kahlo sshd[28894]: Failed password for > invalid user > root > from 43.255.188.169 port 53258 ssh2 > Jun 14 11:36:44 kahlo sshd[28894]: Failed password for > invalid user > root > from 43.255.188.169 port 53258 ssh2 > Jun 14 11:36:44 kahlo sshd[28894]: Received disconnect from > 43.255.188.169 [1]: 11: [preauth] > Jun 14 11:36:44 kahlo sshd[28894]: PAM 2 more > authentication > failures; > logname= uid=0 euid=0 tty=ssh ruser= rhost=43.255.188.169 > user=root > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Fail2ban-users mailing list > [email protected] > <mailto:[email protected]> > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > [2] > > > > Links: > ------ > [1] http://43.255.188.169 > [2] https://lists.sourceforge.net/lists/listinfo/fail2ban-users > ------------------------------------------------------------------------------ _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
