I have recently installed fail2ban on Ubuntu 16, and it's working in that bans/assignments to jails is working correctly, but once the jail assignment expires, the banned IP remains in iptables as REJECT. I would expect it to remove from iptables after the bantime expires.
Example below, a very basic DOS jail, bans anyone who hits 100 page loads in 30 seconds, banning them for 1 hour (3600 seconds).
NB the default bantime in jail.conf is 600 seconds
jail.local
[http-get-dos]
enabled = true
port = http,https
filter = http-get-dos
logpath = /var/log/apache*/access.log
/home/*/logs/access.log
maxretry = 100
findtime = 30
bantime = 3600
ignoreip = 127.0.0.1/8 ::1
action = iptables[name=HTTP, port=http, protocol=tcp]
filter.d/http-get-dos
# Fail2Ban configuration file
[Definition]
failregex = ^<HOST> -.*"(GET|POST).*
ignoreregex =
I tested this myself by sending 1000 connections from three other servers, and it worked correctly - all three servers were added into the jail, and iptables rule:
iptables -L -n
Chain f2b-HTTP (2 references)
target prot opt source destination
REJECT all -- xx.xx.xx.xx 0.0.0.0/0 reject-with
REJECT all -- xx.xx.xx.xx 0.0.0.0/0 reject-with
REJECT all -- xx.xx.xx.xx 0.0.0.0/0 reject-with
icmp-port-unreachable
However, it's been about 2 hours and the three REJECTs still exists in the iptables and the servers cannot connect.
A live status on the http-get-dos jail (fail2ban-client status http-get-dos) returns that correctly some IPs were banned, but none currently.
Status for the jail: http-get-dos
|- Filter
| |- Currently failed: 1
| |- Total failed: 613
| `- File list: /var/log/apache2/access.log /home/*/logs/access.log
`- Actions
|- Currently banned: 0
|- Total banned: 3
`- Banned IP list:
At install of fail2ban, I ran:
apt-get install iptables-persistent
To persist bans on reboot, but this doesn't (??) ignore the bantime though.
I know I can manually remove an IP from iptables, but I would expect fail2ban to do it automatically after the bantime has expired.
What am I missing?
0 Answers