Ted,
I personally don't like firewalld I think it just adds layers of
complexity to the issue, but this is just my opinion. It does have
advantages with inter-process communications and really comes into its
own when you are running a machine with multiply interfaces. This is the
classic 6 of one / a half dozen of the other.
Each of your INPUT & FORWARD chains are set to accept a connection
by default, this in not a big deal because the last rule in each chain
will reject anything that does not match a preceding rule. The first
rule in both of the chains accepts any inbound packet that has a related
or established connection. But the second rule in each of these chains
is I think your problem "ACCEPT all -- anywhere
anywhere". In the INPUT chain this rules says 'accept all protocols from
any source to any destination from your outside network' and in the
FORWARD chain is says 'send any packet to any other network interface
you have'. But the firewalld daemon may do some prepossessing that I
don't know about that prevents this action. But according to these rules
a packet will never be rejected in the INPUT or FORWARD because every
packet will match rule 2 and be accepted. A packet that does reach the
third rule "INPUT_direct all -- anywhere anywhere" will
jump to the INPUT_direct chain and the only rule in that chain does
reject a tcp packet from any source to any destination on port 22. I
just can't tell you what firewalld does to make this happen. But I can
tell you the answer should be in the log file which should be here
"/var/log/firewalld". You might try this command "firewall-cmd --state"
to make sure that firewalld is running and "firewall-cmd
--list-all-zones" to see what services, ports and interfaces are
associated with the defined zones. And I remember reading something
about multiport on the fail2ban wiki, let me see if I can find that.
Hope this helps some.
Harry.
On Mon, 2015-06-15 at 16:40 -0400, Ted To wrote:
> Hi Harrison,
>
> Here is the output for "iptables -L". FWIW, Centos 7 uses firewalld.
>
> Thanks,
> Ted
>
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere ctstate
> RELATED,ESTABLISHED
> ACCEPT all -- anywhere anywhere
> INPUT_direct all -- anywhere anywhere
> INPUT_ZONES_SOURCE all -- anywhere anywhere
> INPUT_ZONES all -- anywhere anywhere
> ACCEPT icmp -- anywhere anywhere
> REJECT all -- anywhere anywhere
> reject-with icmp-host-prohibited
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere ctstate
> RELATED,ESTABLISHED
> ACCEPT all -- anywhere anywhere
> FORWARD_direct all -- anywhere anywhere
> FORWARD_IN_ZONES_SOURCE all -- anywhere anywhere
> FORWARD_IN_ZONES all -- anywhere anywhere
> FORWARD_OUT_ZONES_SOURCE all -- anywhere anywhere
> FORWARD_OUT_ZONES all -- anywhere anywhere
> ACCEPT icmp -- anywhere anywhere
> REJECT all -- anywhere anywhere
> reject-with icmp-host-prohibited
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> OUTPUT_direct all -- anywhere anywhere
>
> Chain FORWARD_IN_ZONES (1 references)
> target prot opt source destination
> FWDI_public all -- anywhere anywhere [goto]
> FWDI_public all -- anywhere anywhere [goto]
>
> Chain FORWARD_IN_ZONES_SOURCE (1 references)
> target prot opt source destination
>
> Chain FORWARD_OUT_ZONES (1 references)
> target prot opt source destination
> FWDO_public all -- anywhere anywhere [goto]
> FWDO_public all -- anywhere anywhere [goto]
>
> Chain FORWARD_OUT_ZONES_SOURCE (1 references)
> target prot opt source destination
>
> Chain FORWARD_direct (1 references)
> target prot opt source destination
>
> Chain FWDI_public (2 references)
> target prot opt source destination
> FWDI_public_log all -- anywhere anywhere
> FWDI_public_deny all -- anywhere anywhere
> FWDI_public_allow all -- anywhere anywhere
>
> Chain FWDI_public_allow (1 references)
> target prot opt source destination
>
> Chain FWDI_public_deny (1 references)
> target prot opt source destination
>
> Chain FWDI_public_log (1 references)
> target prot opt source destination
>
> Chain FWDO_public (2 references)
> target prot opt source destination
> FWDO_public_log all -- anywhere anywhere
> FWDO_public_deny all -- anywhere anywhere
> FWDO_public_allow all -- anywhere anywhere
>
> Chain FWDO_public_allow (1 references)
> target prot opt source destination
>
> Chain FWDO_public_deny (1 references)
> target prot opt source destination
>
> Chain FWDO_public_log (1 references)
> target prot opt source destination
>
> Chain INPUT_ZONES (1 references)
> target prot opt source destination
> IN_public all -- anywhere anywhere [goto]
> IN_public all -- anywhere anywhere [goto]
>
> Chain INPUT_ZONES_SOURCE (1 references)
> target prot opt source destination
>
> Chain INPUT_direct (1 references)
> target prot opt source destination
> REJECT tcp -- anywhere anywhere multiport
> dports ssh match-set fail2ban-default src reject-with
> icmp-port-unreachable
>
> Chain IN_public (2 references)
> target prot opt source destination
> IN_public_log all -- anywhere anywhere
> IN_public_deny all -- anywhere anywhere
> IN_public_allow all -- anywhere anywhere
>
> Chain IN_public_allow (1 references)
> target prot opt source destination
> ACCEPT tcp -- anywhere anywhere tcp
> dpt:submission ctstate NEW
> ACCEPT tcp -- anywhere anywhere tcp
> dpt:smtp ctstate NEW
> ACCEPT tcp -- anywhere anywhere tcp
> dpt:ssh ctstate NEW
> ACCEPT tcp -- anywhere anywhere tcp
> dpt:imaps ctstate NEW
>
> Chain IN_public_deny (1 references)
> target prot opt source destination
>
> Chain IN_public_log (1 references)
> target prot opt source destination
>
> Chain OUTPUT_direct (1 references)
> target prot opt source destination
>
> > Ted,
> > You might have a look at you iptables filter table to see if you are
> > jumping to the chain correctly. Fail2ban does a pretty good job of
> > putting the rules in the filter, but you still might have a rule like a
> > default accept that is allowing the connection before the jail
> > drops/rejects it.
>
> On 06/14/2015 01:33 PM, Arch Architecht wrote:
> > I would check on iptables' order as Harrison said. I did mess around
> > with my bantimes since some hosts have some sort of "intelligent"
> > scanner which tries a few hrs after they are banned or they come back a
> > few days later. My personal bantime is 1234564890 which is long enough
> > for me :D
> >
> > In any case, post an output of your iptables -L or your saved iptables
> > from /etc/sysconfig. I use centos 6 so your file may be elsewhere.
> >
> > Regards,
> > Arch
> >
> > On Jun 14, 2015 7:26 PM, "Ted To" <[email protected]
> > <mailto:[email protected]>> wrote:
> >
> > Hi Arch,
> >
> > I null routed that IP address and within a few seconds, another IP
> > address started hitting me. I null routed that IP and it seems to
> > have stopped for the moment. With the exception of specifying a
> > destemail address in jail.local, my configuration is the default
> > Centos 7 epel config with the addition of the jail.d/sshd.local
> > file
> > I posted.
> >
> > Why would changing the bantime and findtime affect this behavior?
> > (Just trying to understand.)
> >
> > Thanks,
> > Ted
> >
> > On 2015-06-14 12:02 pm, Arch Architecht wrote:
> >
> > I would null route the ip and check my configs again. You may
> > need to
> > change your bantime and findtime.
> >
> > Regards,
> >
> > Arch
> > On Jun 14, 2015 5:56 PM, "Ted To" <[email protected]
> > <mailto:[email protected]>> wrote:
> >
> > Hi,
> >
> > I have a Centos 7 installation where an IP address that has
> > been
> > banned
> > appears to be able to continue to attempt ssh connections.
> > My
> > sshd.local is:
> >
> > [sshd]
> > enabled = true
> > bantime = 86400
> > findtime = 3600
> > maxretry = 3
> > protocol = all
> >
> > Despite this, I am currently being continuously hit by
> > 43.255.188.169
> > (log snippets follow).
> >
> > Any ideas what I have done wrong?
> >
> > Thanks,
> > Ted
> >
> > 2015-06-14 11:33:46,545 fail2ban.filter [28524]: INFO
> > [sshd]
> > Found 43.255.188.169
> > 2015-06-14 11:33:48,350 fail2ban.filter [28524]: INFO
> > [sshd]
> > Found 43.255.188.169
> > 2015-06-14 11:33:50,421 fail2ban.filter [28524]: INFO
> > [sshd]
> > Found 43.255.188.169
> > 2015-06-14 11:33:51,086 fail2ban.actions [28524]: NOTICE
> > [sshd]
> > 43.255.188.169 already banned
> > 2015-06-14 11:33:53,104 fail2ban.filter [28524]: INFO
> > [sshd]
> > Found 43.255.188.169
> > 2015-06-14 11:33:53,734 fail2ban.filter [28524]: INFO
> > [sshd]
> > Found 43.255.188.169
> > 2015-06-14 11:33:55,499 fail2ban.filter [28524]: INFO
> > [sshd]
> > Found 43.255.188.169
> > 2015-06-14 11:33:56,092 fail2ban.actions [28524]: NOTICE
> > [sshd]
> > 43.255.188.169 already banned
> > 2015-06-14 11:33:57,530 fail2ban.filter [28524]: INFO
> > [sshd]
> > Found 43.255.188.169
> > 2015-06-14 11:34:00,508 fail2ban.filter [28524]: INFO
> > [sshd]
> > Found 43.255.188.169
> > 2015-06-14 11:34:01,130 fail2ban.filter [28524]: INFO
> > [sshd]
> > Found 43.255.188.169
> > 2015-06-14 11:34:02,100 fail2ban.actions [28524]: NOTICE
> > [sshd]
> > 43.255.188.169 already banned
> >
> > and
> >
> > Jun 14 11:36:25 kahlo sshd[28890]: pam_unix(sshd:auth):
> > authentication
> > failure; logname= uid=0 euid=0 tty=ssh ruser=
> > rhost=43.255.188.169
> > user=root
> > Jun 14 11:36:27 kahlo sshd[28890]: Failed password for
> > invalid user
> > root
> > from 43.255.188.169 port 52618 ssh2
> > Jun 14 11:36:29 kahlo sshd[28890]: Failed password for
> > invalid user
> > root
> > from 43.255.188.169 port 52618 ssh2
> > Jun 14 11:36:31 kahlo sshd[28890]: Failed password for
> > invalid user
> > root
> > from 43.255.188.169 port 52618 ssh2
> > Jun 14 11:36:31 kahlo sshd[28890]: Received disconnect from
> > 43.255.188.169 [1]: 11: [preauth]
> > Jun 14 11:36:31 kahlo sshd[28890]: PAM 2 more
> > authentication
> > failures;
> > logname= uid=0 euid=0 tty=ssh ruser= rhost=43.255.188.169
> > user=root
> > Jun 14 11:36:32 kahlo sshd[28892]: User root from
> > 43.255.188.169
> > not
> > allowed because not listed in AllowUsers
> > Jun 14 11:36:32 kahlo sshd[28892]: pam_unix(sshd:auth):
> > authentication
> > failure; logname= uid=0 euid=0 tty=ssh ruser=
> > rhost=43.255.188.169
> > user=root
> > Jun 14 11:36:34 kahlo sshd[28892]: Failed password for
> > invalid user
> > root
> > from 43.255.188.169 port 38784 ssh2
> > Jun 14 11:36:36 kahlo sshd[28892]: Failed password for
> > invalid user
> > root
> > from 43.255.188.169 port 38784 ssh2
> > Jun 14 11:36:37 kahlo sshd[28892]: Failed password for
> > invalid user
> > root
> > from 43.255.188.169 port 38784 ssh2
> > Jun 14 11:36:37 kahlo sshd[28892]: Received disconnect from
> > 43.255.188.169 [1]: 11: [preauth]
> > Jun 14 11:36:37 kahlo sshd[28892]: PAM 2 more
> > authentication
> > failures;
> > logname= uid=0 euid=0 tty=ssh ruser= rhost=43.255.188.169
> > user=root
> > Jun 14 11:36:38 kahlo sshd[28894]: User root from
> > 43.255.188.169
> > not
> > allowed because not listed in AllowUsers
> > Jun 14 11:36:38 kahlo sshd[28894]: pam_unix(sshd:auth):
> > authentication
> > failure; logname= uid=0 euid=0 tty=ssh ruser=
> > rhost=43.255.188.169
> > user=root
> > Jun 14 11:36:40 kahlo sshd[28894]: Failed password for
> > invalid user
> > root
> > from 43.255.188.169 port 53258 ssh2
> > Jun 14 11:36:42 kahlo sshd[28894]: Failed password for
> > invalid user
> > root
> > from 43.255.188.169 port 53258 ssh2
> > Jun 14 11:36:44 kahlo sshd[28894]: Failed password for
> > invalid user
> > root
> > from 43.255.188.169 port 53258 ssh2
> > Jun 14 11:36:44 kahlo sshd[28894]: Received disconnect from
> > 43.255.188.169 [1]: 11: [preauth]
> > Jun 14 11:36:44 kahlo sshd[28894]: PAM 2 more
> > authentication
> > failures;
> > logname= uid=0 euid=0 tty=ssh ruser= rhost=43.255.188.169
> > user=root
> >
> >
> >
> > ------------------------------------------------------------------------------
> >
> > _______________________________________________
> > Fail2ban-users mailing list
> > [email protected]
> > <mailto:[email protected]>
> > https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> > [2]
> >
> >
> >
> > Links:
> > ------
> > [1] http://43.255.188.169
> > [2] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> >
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Fail2ban-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
