Hi, I’ve got a few Ubuntu 15.04 droplets running Fail2ban + UFW (+ IPtables fwiw). I’ve set the servers up according to the various 14.04 tutorials on DO: initial server setup steps setting up ufw setting up fail2ban I even followed the directions to setup repeat offender from wireflare as well as recidive (a bit of paranoia admittedly).
I should probably note that these droplets were originally 14.10 that was upgraded to 15.04 in Aug but all of them are running the same kernel
3.19.0-30-generic per DO dashboard. I made sure that each of them were running the right kernel version since iptables wasn’t working on some because of kernel mismatching.
My droplets running 14.04 my setup works great AFAIK…
I’ve set up my UFW rules to REJECT certain annoying IP addresses (e.g. 22.214.171.124/24) and
sudo iptables -S and
-L both reflect these particular addresses as being blocked/rejected. I also have UFW reject all incoming requests except to certain ports (http, etc). And I’ve got
PermitRootLogin off as well. The only way to log into our servers are via key access (on port 22, but that isn’t the issue).
However, I’ve noticed that f2b continually sends out emails saying those particular IP addresses are still attempting to SSH in. My
jail.local has the default SSH jail settings, but that points to
port=ssh (which is 22). The brute force attempts from these IPs hit various other ports, like port 23825.
Here’s my current setup. Snippet of UFW
Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip To Action From -- ------ ---- Anywhere REJECT IN 126.96.36.199 Anywhere REJECT IN 188.8.131.52 Anywhere REJECT IN 184.108.40.206 Anywhere REJECT IN 220.127.116.11
Snippet of corresponding IPtables
-A f2b-recidive -s 18.104.22.168/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-recidive -s 22.214.171.124/32 -j REJECT --reject-with icmp-port-unreachable ... -A ufw-user-input -s 126.96.36.199/32 -j REJECT --reject-with icmp-port-unreachable -A ufw-user-input -s 188.8.131.52/32 -j REJECT --reject-with icmp-port-unreachable
And my jail.local
[ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3
(Tho I tried to change the SSH jail to this, unsure if it’s properly configured or working or whatnot – I assume it’s not because I still get the emails re: these particular IPs)
[ssh] enabled = true filter = sshd action = iptables-allports[name=ssh,protocol=tcp] sendmail-whois-lines[name=SSH, logpath=/var/log/fail2ban.log] logpath = /var/log/auth.log maxretry = 3
I’ve a few questions regarding all of this. 1 – Why isn’t UFW / IPTables blocking these IP addresses? (Seriously, this is the biggest Q) 2 – How do I set up fail2ban’s SSH jail to also dismiss all SSH attempts thru other ports? 3 – I’m no sysadmin but isn’t UFW/iptables supposed to be blocking those IP addresses even prior to f2b reporting and banning? After all, the packets need to hit the server, go thru the firewall, then get an entry logged into the system for f2b to read and action against.
Any help would be greatly appreciated.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.
Click below to sign up and get $100 of credit to try our products over 60 days!