action prevents block of ip

[hoflz5]

When I add the code to my jail.local,

action   = iptables[name=nginx-custom, port=80, protocol=tcp]
               telegram

the IP is not stopped anymore. It is still in the iptable, but it I can still access the server from that ip. Any thoughts?

[deividgdt]

Hi Hoflz5,

Could you show me your nginx-custom configuration? Anyway, if you see the IP address in the IPTABLE rules but it's not working, is weird.

Looks like some iptables misconfiguration.

Kind regards

[hoflz5]

I'm using fail2ban v11.

So the thing is that this works if I comment out the Telegram action as per below:

/etc/fail2ban/filter.d/nginx-custom.conf

[Definition]

failregex = ^<HOST> -.*(GET|POST|HEAD).*(/\.git/config)
            ^<HOST> -.*(GET|POST).*/administrator/index\.php.*500
            ^<HOST> -.*(GET|POST|HEAD).*(/:8880/)
            ^<HOST> -.*(GET|POST|HEAD).*(/addons/theme/stv1/_static/image/favicon\.ico)

..... + 100 more rows like this ....

            ^<HOST> -.*(GET|POST|HEAD).*(/.env)
            ^<HOST> -.*(GET|POST|HEAD).*(/wp)

ignoreregex =

Jail.local with commented out action to verify that the jail works in a normal case:

/etc/fail2ban/jail.local

[nginx-custom]
enabled  = true
port     = http,https
filter   = nginx-custom
logpath  = %(nginx_access_log)s
maxretry = 1
#action   = iptables[name=nginx-custom, port=80, protocol=tcp]
#           telegram

Trying to exploit any of these, the IP ended up in the jail:

sudo fail2ban-client status nginx-custom

Status for the jail: nginx-custom
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	2
|  `- File list:	/var/log/nginx/access.log
`- Actions
   |- Currently banned:	1
   |- Total banned:	1
   `- Banned IP list:	2.67.28.16

Log shows a ban:

2021-03-28 10:15:51,027 fail2ban.filter         [1592]: INFO    [nginx-custom] Found 2.67.28.16 - 2021-03-28 10:15:50
2021-03-28 10:15:51,474 fail2ban.actions        [1592]: NOTICE  [nginx-custom] Ban 2.67.28.16

And also the iptables:

sudo iptables -L -nv

Chain INPUT (policy ACCEPT 871 packets, 1638K bytes)
 pkts bytes target     prot opt in     out     source               destination         
  211 22384 f2b-nginx-custom  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 977 packets, 1960K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain f2b-nginx-custom (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   56  2756 REJECT     all  --  *      *       2.67.28.16           0.0.0.0/0            reject-with icmp-port-unreachable
  155 19628 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0    

Ban is now working. I cannot reach the site from this IP.

BUT!
Now I'm going to test with the Telegram action enabled. First remove the IP from the jail and iptables.
sudo fail2ban-client set nginx-custom unbanip 2.67.28.16
sudo iptables -F

Then enable the action in jail.local (telegram indentation is spaces)

[nginx-custom]
enabled  = true
port     = http,https
filter   = nginx-custom
logpath  = %(nginx_access_log)s
maxretry = 1
action   = iptables[name=nginx-custom, port=80, protocol=tcp]
           telegram

Then restart fail2ban:
sudo service fail2ban restart
Now getting notification in Telegram that fail2ban is restarted.
Trying the exploit again -> Get Telegram message that the IP has been banned.

Jail also shows banned:
sudo fail2ban-client status nginx-custom

Status for the jail: nginx-custom
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	109
|  `- File list:	/var/log/nginx/access.log
`- Actions
   |- Currently banned:	1
   |- Total banned:	1
   `- Banned IP list:	2.67.28.16

iptable also shows banned (the only difference I can see is that pkts and bytes is 0 now:
sudo iptables -L -nv

Chain INPUT (policy ACCEPT 1059 packets, 1323K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 f2b-nginx-custom  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 1014 packets, 1800K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain f2b-nginx-custom (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  *      *       2.67.28.16           0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Log now shows more rows for the new ban of this IP:

2021-03-28 10:23:24,714 fail2ban.filter         [7999]: INFO    [nginx-custom] Found 2.67.28.16 - 2021-03-28 10:23:24
2021-03-28 10:23:24,942 fail2ban.filter         [7999]: INFO    [nginx-custom] Found 2.67.28.16 - 2021-03-28 10:23:24
2021-03-28 10:23:24,948 fail2ban.filter         [7999]: INFO    [nginx-custom] Found 2.67.28.16 - 2021-03-28 10:23:24
2021-03-28 10:23:24,953 fail2ban.filter         [7999]: INFO    [nginx-custom] Found 2.67.28.16 - 2021-03-28 10:23:24
2021-03-28 10:23:24,958 fail2ban.filter         [7999]: INFO    [nginx-custom] Found 2.67.28.16 - 2021-03-28 10:23:24
2021-03-28 10:23:25,164 fail2ban.filter         [7999]: INFO    [nginx-custom] Found 2.67.28.16 - 2021-03-28 10:23:24
2021-03-28 10:23:25,170 fail2ban.filter         [7999]: INFO    [nginx-custom] Found 2.67.28.16 - 2021-03-28 10:23:25
2021-03-28 10:23:25,176 fail2ban.filter         [7999]: INFO    [nginx-custom] Found 2.67.28.16 - 2021-03-28 10:23:25
2021-03-28 10:23:25,181 fail2ban.filter         [7999]: INFO    [nginx-custom] Found 2.67.28.16 - 2021-03-28 10:23:25
2021-03-28 10:23:25,187 fail2ban.filter         [7999]: INFO    [nginx-custom] Found 2.67.28.16 - 2021-03-28 10:23:25
2021-03-28 10:23:25,193 fail2ban.filter         [7999]: INFO    [nginx-custom] Found 2.67.28.16 - 2021-03-28 10:23:25
2021-03-28 10:23:25,198 fail2ban.filter         [7999]: INFO    [nginx-custom] Found 2.67.28.16 - 2021-03-28 10:23:25
2021-03-28 10:23:25,204 fail2ban.filter         [7999]: INFO    [nginx-custom] Found 2.67.28.16 - 2021-03-28 10:23:25
2021-03-28 10:23:25,345 fail2ban.actions        [7999]: NOTICE  [nginx-custom] Ban 2.67.28.16
2021-03-28 10:23:25,411 fail2ban.filter         [7999]: INFO    [nginx-custom] Found 2.67.28.16 - 2021-03-28 10:23:25
2021-03-28 10:23:25,417 fail2ban.filter         [7999]: INFO    [nginx-custom] Found 2.67.28.16 - 2021-03-28 10:23:25
2021-03-28 10:23:25,422 fail2ban.filter         [7999]: INFO    [nginx-custom] Found 2.67.28.16 - 2021-03-28 10:23:25
2021-03-28 10:23:25,427 fail2ban.filter         [7999]: INFO    [nginx-custom] Found 2.67.28.16 - 2021-03-28 10:23:25
2021-03-28 10:23:25,433 fail2ban.filter         [7999]: INFO    [nginx-custom] Found 2.67.28.16 - 2021-03-28 10:23:25
2021-03-28 10:23:25,438 fail2ban.filter         [7999]: INFO    [nginx-custom] Found 2.67.28.16 - 2021-03-28 10:23:25
....
2021-03-28 10:23:27,756 fail2ban.actions        [7999]: NOTICE  [nginx-custom] 2.67.28.16 already banned
2021-03-28 10:23:27,756 fail2ban.actions        [7999]: NOTICE  [nginx-custom] 2.67.28.16 already banned
2021-03-28 10:23:27,756 fail2ban.actions        [7999]: NOTICE  [nginx-custom] 2.67.28.16 already banned
2021-03-28 10:23:27,756 fail2ban.actions        [7999]: NOTICE  [nginx-custom] 2.67.28.16 already banned

if I try to access the same url again, the site loads normally. So ban IS NOT working. I also get notification in the fail2ban log that the IP is already banned:

2021-03-28 10:28:57,113 fail2ban.filter         [7999]: INFO    [nginx-custom] Found 2.67.28.16 - 2021-03-28 10:28:56
2021-03-28 10:28:57,354 fail2ban.actions        [7999]: WARNING [nginx-custom] 2.67.28.16 already banned

Also I'm having this warning when starting up the fail2ban service (both with and without Telegram):
2021-03-28 10:34:48,058 fail2ban.configreader [8496]: WARNING 'allowipv6' not defined in 'Definition'. Using default one: 'auto'

[deividgdt]

Hi Hoflz,

There's another difference between those two IPTABLES output: the port 443. When you enable the action to send telegram messages, just the port 80 is configured:

action = iptables[name=nginx-custom, port=80, protocol=tcp]

but when this action is disabled, and an IP address get banned, the destination ports are: 80 and 443.

Chain INPUT (policy ACCEPT 871 packets, 1638K bytes)
 pkts bytes target     prot opt in     out     source               destination         
  211 22384 f2b-nginx-custom  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443

So, the most probably is that you need to set port 443 in the action configuration as follow:

action   = iptables[name=nginx-custom, port="80,443" protocol=tcp]

Kind regards,

[hoflz5]

Hmm, that is interesting.
I actually tried with port=all before, but that didn't end well.
when adding 443 now as you mentioned, everything becomes null in the iptable (after first unbanning, then sudo reseting with iptables -F, then restarting the fail2ban service)

Chain f2b-nginx-custom (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0