I setup fail2ban 0.9.1 on my Synology NAS to handle failed SSH attempts. When I startup the jail I get the following errors in fail2ban.log:
2015-02-01 17:22:52,394 fail2ban.jail [30576]: INFO Jail 'ssh-iptables-syno' started
2015-02-01 17:22:53,287 fail2ban.actions [30576]: NOTICE [ssh-iptables-syno] Ban 103.41.124.52
2015-02-01 17:22:53,613 fail2ban.action [30576]: ERROR iptables -I f2b-ssh-iptables-syno 1 -s 103.41.124.52 -j REJECT --reject-with icmp-port-unreachable -- stdout: ''
2015-02-01 17:22:53,625 fail2ban.action [30576]: ERROR iptables -I f2b-ssh-iptables-syno 1 -s 103.41.124.52 -j REJECT --reject-with icmp-port-unreachable -- stderr: 'iptables v1.4.21: unknown option "--reject-with"\nTry `iptables -h\' or \'iptables --help\' for more information.\n'
2015-02-01 17:22:53,626 fail2ban.action [30576]: ERROR iptables -I f2b-ssh-iptables-syno 1 -s 103.41.124.52 -j REJECT --reject-with icmp-port-unreachable -- returned 2
Another example:
2015-02-01 17:22:54,525 fail2ban.actions [30576]: NOTICE [ssh-iptables-syno] Ban 222.161.4.147
2015-02-01 17:22:54,855 fail2ban.action [30576]: ERROR iptables -I f2b-ssh-iptables-syno 1 -s 222.161.4.147 -j REJECT --reject-with icmp-port-unreachable -- stdout: ''
2015-02-01 17:22:54,857 fail2ban.action [30576]: ERROR iptables -I f2b-ssh-iptables-syno 1 -s 222.161.4.147 -j REJECT --reject-with icmp-port-unreachable -- stderr: 'iptables v1.4.21: unknown option "--reject-with"\nTry `iptables -h\' or \'iptables --help\' for more information.\n'
2015-02-01 17:22:54,858 fail2ban.action [30576]: ERROR iptables -I f2b-ssh-iptables-syno 1 -s 222.161.4.147 -j REJECT --reject-with icmp-port-unreachable -- returned 2
2015-02-01 17:22:54,860 fail2ban.actions [30576]: ERROR Failed to execute ban jail 'ssh-iptables-syno' action 'iptables-multiport' info 'CallingMap({'ipjailmatches': <function <lambda> at 0x40dfe0b0>, 'matches': u'warning\t2015/02/01 17:14:04\tSYSTEM:\tUser [root] from [222.161.4.147] failed to log in via [SSH] due to authorization failure.\nwarning\t2015/02/01 17:14:06\tSYSTEM:\tUser [root] from [222.161.4.147] failed to log in via [SSH] due to authorization failure.\nwarning\t2015/02/01 17:14:09\tSYSTEM:\tUser [root] from [222.161.4.147] failed to log in via [SSH] due to authorization failure.', 'ip': '222.161.4.147', 'ipmatches': <function <lambda> at 0x40dfe0f0>, 'ipfailures': <function <lambda> at 0x40dfe030>, 'time': 1422807774.52478, 'failures': 3, 'ipjailfailures': <function <lambda> at 0x40dfe070>})': Error banning 222.161.4.147
-> full log excerpt: http://pastebin.com/TvTG3c7W
When I try to execute the iptables command directly like I get the following error:
# iptables -I f2b-ssh-iptables-syno 1 -s 222.161.4.147 -j REJECT --reject-with icmp-port-unreachable
iptables v1.4.21: unknown option "--reject-with"
I have another machine (12.04) with iptables 1.4.21 and fail2ban 0.9.1 where everything work flawlessly. Here is some iptables information for both machines:
Bad machine:
# iptables --version
iptables v1.4.21
# cat /proc/net/ip_tables_targets
LOG
ERROR
# cat /proc/net/ip_tables_matches
limit
state
udplite
udp
tcp
multiport
multiport
icmp
Good machine:
# iptables --version
iptables v1.4.21
# cat /proc/net/ip_tables_targets
AUDIT
NFLOG
NFQUEUE
NFQUEUE
NFQUEUE
CLASSIFY
CONNMARK
CONNMARK
MARK
MARK
MARK
ULOG
TPROXY
TPROXY
MASQUERADE
REDIRECT
TOS
TOS
DSCP
LOG
TCPMSS
DNAT
SNAT
REJECT
ERROR
# cat /proc/net/ip_tables_matches
statistic
time
connlimit
realm
pkttype
connmark
connmark
physdev
string
string
owner
comment
conntrack
conntrack
conntrack
helper
limit
hashlimit
hashlimit
iprange
iprange
policy
owner
addrtype
addrtype
recent
state
length
ttl
tcpmss
multiport
multiport
tos
tos
dscp
icmp
udplite
udp
tcp
Any ideas on how to approach this errors?
Update Thanks to @ricardo I found out that iptables on my Synology (DSM 5) is missing the REJECT target. Don´t know how to add it though.
Try so see what iptables modules are loaded on the good machine and compare them to the bad one:
Also check if the REJECT target exists:
If you do not see REJECT in the list, then your version of iptables does not have it and fail2ban rules will not be able to interact with it.
Ok I figured it out:
fail2ban tries to insert bans using the iptable REJECT target which is not available on Synology DSM5.x systems. (thx @Ricardo)
The solution is to edit the fail2ban action and change it from REJECT to DROP (which is available by default). In my case (fail2ban v0.8.14, action: iptables-allports) this would be achieved like this:
As commands:
The iptables-blocktype.local gets automatically loaded by action.d/iptables-blocktype.conf.
This post in the german Synology board was very helpful: http://www.synology-forum.de/showthread.html?50964-Zarafa-mit-fail2ban-absichern&highlight=fail2ban