On 9/30/18 11:01 AM, James Moe via Fail2ban-users wrote: > The issue, then, is that the actual banning part is not happening. > Where have I gone awry? > The purpose of commissioning fail2ban is to reduce the load on suricata, an intrusion prevention service; suricata is the most CPU intensive program running; I felt anything that could ease its load is a good thing. The problem was the order of INPUT chains in iptables. With normal system startup NFQUEUE was first, followed by everything else. f2b added its chains after NFQUEUE making the f2b chains rather useless. And created the "already banned" messages. After restarting fail2ban, its chains are before NFQUEUE, allowing the f2b rules to be in effect. And the idea of reducing suricata's workload is actually happening.
The only bit remaining to solve is: How to guarantee f2b's chains are always first in iptables' INPUT list? -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 Think. _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
