You are not logged in.
I've installed fail2ban 0.9.6 in a new Arch installation and I'm trying to customize fail2ban with a list of permanent blacklisted ip addresses that I want to be reloaded in iptables each time fail2ban restarts. I modified the iptables-multiport.local file that I've been using successfully in Xubuntu to be (I think) consistent with the current fail2ban configuration files but when I restart fail2ban this file seems to be ignored.
/etc/fail2ban/action.d/iptables-multiport.local contains:
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = <iptables> -N f2b-<name>
<iptables> -A f2b-<name> -j <returntype>
<iptables> -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
# Persistent banning of IPs
cat /etc/fail2ban/iptables-blacklist | while read IP; do iptables -I f2b-<name> 1 -s $IP -j DROP; done
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
<iptables> -F f2b-<name>
<iptables> -X f2b-<name>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>and /etc/fail2ban/iptables-blacklist does contain the same list of ip addresses that I'm using on other machines running Xubuntu 16.04. But after starting (or restarting) fail2ban, iptables INPUT chain contains only
Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22Any ideas why this action isn't functioning?
Offline
I traced the problem to a line that I copied from this ArchWiki article: https://wiki.archlinux.org/index.php/fa … m_SSH_jail when I was trying to get fail2ban enabled for sshd. That article suggested editing /etc/fail2ban/jail.conf with the following entries:
# copied from https://wiki.archlinux.org/index.php/fail2ban#Custom_SSH_jail
[DEFAULT]
bantime = 864000
ignoreip = 127.0.0.1/8
[sshd]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=your@mail.org, sender=fail2ban@mail.com]
backend = systemd
maxretry = 5but fail2ban recommends placing customizations in separate files to avoid being overwritten by package updates, so I created a file called /etc/fail2ban/jail.d/defaults-arch.conf.
I had already modified that file eliminating the [DEFAULT] section and the sendmail call, and shortening maxretry to 3. But now I finally realized that the "action" line
action = iptables[name=SSH, port=ssh, protocol=tcp]was overriding fail2ban's default banaction = iptables-multiport and therefore ignoring /etc/fail2ban/action.d/iptables-multiport.conf and .local.
so I eliminated that line as well, and now I have a file /etc/fail2ban/jail.d/defaults-arch.conf containing just
[sshd]
enabled = true
filter = sshd
backend = systemd
maxretry = 3This seems to be all that's needed for basic functionality and my iptables-multiport.local action is now loading my iptables-blacklist as I intended.
But I don't understand why the ArchWiki article prefers to override the iptables-multiport default. Any thoughts on that?
Offline