Fail2ban not working.

March 23, 2017 419 views
Security Nginx PHP Ubuntu 16.04

I have installed fail2ban as per the following tutorial.

i have a wordpress site and one application on php fremwork. i tried with wrong password on both places but im not blocked for the given time period.
just to mention, i removed my ip from the ignore IP before testing this.

these are my fail2ban details

|- Number of jail:      5
`- Jail list:   nginx-badbots, nginx-http-auth, nginx-noproxy, nginx-noscript, sshd
~$ sudo iptables -S
-N f2b-nginx-badbots
-N f2b-nginx-http-auth
-N f2b-nginx-noproxy
-N f2b-nginx-noscript
-N f2b-sshd
-N ufw-after-forward
-N ufw-after-input
-N ufw-after-logging-forward
-N ufw-after-logging-input
-N ufw-after-logging-output
-N ufw-after-output
-N ufw-before-forward
-N ufw-before-input
-N ufw-before-logging-forward
-N ufw-before-logging-input
-N ufw-before-logging-output
-N ufw-before-output
-N ufw-logging-allow
-N ufw-logging-deny
-N ufw-not-local
-N ufw-reject-forward
-N ufw-reject-input
-N ufw-reject-output
-N ufw-skip-to-policy-forward
-N ufw-skip-to-policy-input
-N ufw-skip-to-policy-output
-N ufw-track-forward
-N ufw-track-input
-N ufw-track-output
-N ufw-user-forward
-N ufw-user-input
-N ufw-user-limit
-N ufw-user-limit-accept
-N ufw-user-logging-forward
-N ufw-user-logging-input
-N ufw-user-logging-output
-N ufw-user-output
-A INPUT -p tcp -m multiport --dports 80,443 -j f2b-nginx-http-auth
-A INPUT -p tcp -m multiport --dports 80,443 -j f2b-nginx-badbots
-A INPUT -p tcp -m multiport --dports 80,443 -j f2b-nginx-noproxy
-A INPUT -p tcp -m multiport --dports 80,443 -j f2b-nginx-noscript
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A f2b-nginx-badbots -j RETURN
-A f2b-nginx-http-auth -j RETURN
-A f2b-nginx-noproxy -j RETURN
-A f2b-nginx-noscript -j RETURN
-A f2b-sshd -j RETURN
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 22 -m comment --comment "\'dapp_OpenSSH\'" -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 80 -m comment --comment "\'dapp_Nginx%20HTTP\'" -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 443 -m comment --comment "\'dapp_Nginx%20HTTPS\'" -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT

could someone please tell me where i am doing wrong?

2 Answers

Unless you've installed the WordPress plugin wp-fail2ban-redux or wp-fail2ban it won't do anything.
And for your custom application, well, that needs some code which fail2ban can trigger on.

  • thanks for replying. understand what you are saying.

    just clear my 2 questions please,

    on the tutorial, active jails have ssh, in my case its sshd. is that normal?

    there are far more parameters in my iptable status then in the tutorial. is that normal? i have installed fail2ban and iptable in an almost new server.

    sorry to ask such things, just wanting to be sure that my fail2ban didnt block legitimate requests.

    • The guide you're looking at is for the fail2ban version which came with Ubuntu 14.04, but the fail2ban version that comes with Ubuntu 16.04 has changed quite a lot. So not sure about the ssh vs sshd, but I guess that's why.

      You only have a couple of f2b in the iptables - the rest is the ufw, which is the builtin Ubuntu firewall, which you've enabled at some point probably.

      • @hansen
        thanks for clarifying that. i didnt noticed that properly before.

        yes i did enabled ufw at the very beginning denying all incoming expect some selective ports.

        i have one last question though. as i am using ufw and so far i know ufw configure ipv4 & ipv6 both together, so do i need to add same rules additionally for ipv6?
        and do u have any tutorial for ubuntu 16.04 by the way?

        • No, you're good with just using the default ufw - it'll add both v4 and v6.

          And the default scripts that comes with fail2ban on 16.04 does also support v4 and v6.

          Tutorial for Ubuntu or fail2ban or?

There's one that talks about UFW/iptables:
But there isn't an updated tutorial for fail2ban on 16.04

UFW, or Uncomplicated Firewall, is an interface to iptables that is geared towards simplifying the process of configuring a firewall. While iptables is a solid and flexible tool, it can be difficult for beginners to learn how to use it to properly configure a firewall. If you're looking to get started securing your network, and you're not sure which tool to use, UFW may be the right choice for you. This tutorial will show you how to set up a firewall with UFW on Ubuntu 16.04.
Have another answer? Share your knowledge.