After Fail2ban/firewalls integration cant access https

July 7, 2014 3.1k views

After integrating fail2ban, and some basic firewalls, we can no longer access our site(s) through https.

Ubuntu 14, nginx, wp/magento on same server. 2 SSL certs.

Error logs print out:

Access forbidden by rule, client:, server:, request: "POST /app/etc/local.xml HTTP/1.1", host: ""

‘sudo netstat -plutn | grep :443’ prints out:

tcp        0      0   *               LISTEN      4774/nginx

Any help would be greatly appreciated!


4 Answers

Also, ‘sudo iptables -S’ returns this:

-N fail2ban-nginx-http-auth
-N fail2ban-ssh
-N udp-flood
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-nginx-http-auth
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p udp -j udp-flood
-A fail2ban-nginx-http-auth -j RETURN
-A fail2ban-ssh -j RETURN
-A udp-flood -p udp -m limit --limit 50/sec -j RETURN
-A udp-flood -j LOG --log-prefix "UDP-flood attempt: "
-A udp-flood -j DROP

Running nmap on your IP only show ports 80 and 22 to be open. HTTPS traffic is on port 443. I’d explicitly open port 443 with:

sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

Hey Andrew,

Thanks for your help. Ran that command, as well as:

fuser -k 80/tcp 
fuser -k 443/tcp
service nginx start

but still no dice.

You need to remove the “DROP everything” rule and use the default policy setting instead:

sudo iptables -D INPUT -j DROP
sudo iptables -P INPUT DROP
Have another answer? Share your knowledge.