Home / server / Questions / 1073725
Accepted
nagylzs
Asked: 2021-08-07 01:36:03 +0800 CST

fail2ban does not use DROP blocktype

  • 772

Using Ubuntu 20.04 LTS, I have this in /etc/fail2ban/jail.local:

[DEFAULT]
bantime   = 3600
banaction = iptables
blocktype = drop


[sshd]
enabled   = true
protocol  = tcp
port      = ssh
filter    = sshd
logpath   = /var/log/auth.log
maxretry  = 3

But this is what I see when I list iptables rules:

╰─# iptables -L f2b-sshd -n -v
Chain f2b-sshd (1 references)
 pkts bytes target     prot opt in     out     source               destination
   13  1356 REJECT     all  --  *      *       222.187.232.205      0.0.0.0/0            reject-with icmp-port-unreachable
   18  1516 REJECT     all  --  *      *       221.181.185.153      0.0.0.0/0            reject-with icmp-port-unreachable
   17  1064 REJECT     all  --  *      *       222.186.180.130      0.0.0.0/0                  777 55854 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

The problem is that it uses REJECT (with ICMP) instead of DROP.

The action.d/iptables.conf contains this:

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>

It is the default iptables action file, shipped with the official fail2ban apt package for this OS version.

Also tried to add "blocktype=drop" under [sshd] but it has no effect.

I'm not sure how to debug this, because the fail2ban service does not log the actual iptables commands.

What am I missing?

fail2ban

2 Answers

  1. Best Answer

    To supply some parameter to the action of single jail, you must set action with all parameters (also normally supplied in default section of jail.conf) or in case of banning action you could use something like that:

    [some_jail]
banaction = %(known/banaction)s[blocktype=DROP]

    As regards the theme DROP vs. REJECT, the discussion is so old as the net-filter subsystem itself, with many pros/cons for both sides.
    Related to banning concerns, see https://github.com/fail2ban/fail2ban/issues/2217#issuecomment-423248516 for details.

    • 1

  2. I have accepted solution of @sebres but I would like to add some gotchas.

    For iptables-allports banaction, the reject blocktype can have spaces inside. You need to quote that.

    Example:

    [sshd]
banaction=iptables_allports[blocktype="REJECT --reject-with icmp-port-unreachable"]

    Second interesting thing: both the banaction and the jail config have a parameter called "protocol". I was first confused when the configuration below was not throwing any errors, but it did not block UDP requests:

    [named-ddos]
banaction=iptables_allports[blocktype=DROP,protocol=all]

    It happened because I was missing the protocol=all setting from the jail. You need to specify protocol=all at the jail level:

    [named-ddos]
banaction=iptables_allports[blocktype=DROP,protocol=all]
protocol=all

    The reason for this is that the named-ddos section creates a new chain in iptables, and the banned ips are creating rules inside that chain. If you don't specify protocol=all at the jail level, then the chain will be defined like this:

    Chain INPUT (policy DROP 22 packets, 952 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1371  229K named-ddos  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0

    It is true, that the banaction will create rules with proto=all inside the chain, but the chain itself won't be used for non-tcp packets. The conclusion is that you need to specify protocol=all in both the jail level and in the banaction (if it supports it), otherwise it won't work.

    • 0