Several days ago I asked this question Confuse about fail2ban behavior with firewallD in Centos 7
It is a large text with several comments.
It seems something starts flushing iptables after some hours of fail2ban restart I don't get what it is.
A couple of months ago I moved a few Virtual Hosts from a dedicated server I used for more than 10 years to a Contabo VPS.
All goes fine but fail2ban jail. Prisoners escape. :)
My move was from Centos 6 to Centos 7 Webmin/Virtualmin LAMP fail2ban; leaving /etc/sysconfig/iptables, now using firewalld.
As said, after some hours of fail2ban restart, and after some successfully banned IPs, as #sebres suggested, something is flushing iptables because of the symptom "after effects" like
2019-12-05 16:55:20,856 fail2ban.action [1514]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-proftpd[ \t]' -- stdout: ''
and "already banned" notices.
None of the changes I tried in default configurations changed that.
At the end I deleted the Webmin module to manage fail2ban and reinstalled the service.
Renamed /etc/fail2ban to keep backup configurations.
rpm -qa | grep -i fail2ban
then
yum remove fail2ban-server
yum remove fail2ban-firewalld
yum install fail2ban-firewalld (also installs -server)
yum install fail2ban-systemd
then copied old jail.local to new /etc/fail2ban directory
[DEFAULT]
banaction = iptables-multiport
banaction_allports = iptables-allports
[sshd]
enabled = true
port = ssh
maxretry = 4
bantime = 7200
[ssh-ddos]
enabled = true
port = ssh,sftp
filter = sshd-ddos
[webmin-auth]
enabled = true
port = 10000
[proftpd]
enabled = true
bantime = -1
[postfix]
enabled = true
bantime = -1
[dovecot]
enabled = true
bantime = -1
[postfix-sasl]
enabled = true
bantime = -1
I also checked cron jobs to see if something can be flushing iptables in any way.
At this time I have running, periodically, a script to manually reject those "already banned" IPs once.
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='xxx.xxx.xxx.xxx' reject"
So my question is how to know what is flusing iptables.
UPADATE 1
After update to stable V 0.10 fail2ban release it seemed problems gone but after 5 days they started again.
Previously, after v0.9 restart, problems started after few hours.
UPADATE 2
Running fail2ban-client -d I got "Found no accessible config files for 'filter.d/sshd-ddos'". That's because I kept the old ssh-ddos config in jail.conf.
So, a subquestion is if I'm right simply making this change (at least no errors in fail2ban-client -d
#filter = sshd-ddos
filter = sshd
mode = agressive (as suggested by #sebres)
Here's the output of fail2ban-client -d
"No, the after effect is there because something is flushing rules, not vice versa"
I understand that, I'm not that fluent in English speaking, I meant that that was a symptom that something happens so the effect.
"So which banning action do you use really?"
Sorry my poor knowledge on this matter. Is that what is included in [Default] part of jail.local?
"(for example can you exclude some service implemented by Contabo installed or integrated in your VPS, that doing that?"
I asked them some time ago but their answer was "...we are providing our customers with the basic installations..." nothing that technical. They have several VPS services and I don't see other people complaining about that.
UPDATE 3
The first jail.local (from fresh Webmin/Virtualmin install) actions were
action = firewallcmd-ipset[]
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
I changed by
banaction = iptables-multiport
banaction_allports = iptables-allports
some time ago.
Now I went back with firewallcmd-ipset as [DEFAULT] and this is the fail2ban-client -d output.
I'll check fail2ban.log. .... After few hours, problems again.
About firewallD Webmin has a section with defined zones/rules and tools to manage them instead of having to write commands in shell. Nothing more.
I cannot imagine fail2ban blame here, but to exclude it (or some action of fail2ban is broken on your side), we should take a look into your configuration...
So provide your whole (unmodified) configuration dump:
fail2ban-client -d
or at least dump of all actions of all jails:
fail2ban-client -d | grep 'action'
now using firewalld
I see pretty sure iptables in your config and the log excerpt (error message).
So which banning action do you use really?
something is flushing iptables because of "after effects" like ...
No, the after effect is there because something is flushing rules, not vice versa.
This can be for example some "firewall" script which you apply to configure iptables (ports, default reject rules, etc), restart of some service due to dependency (restarting or reloading iptables), some script mistakenly implementing knocking, and many others.
I don't think it'd be simple to find it, if you don't have it under your control (for example can you exclude some service implemented by Contabo installed or integrated in your VPS, that doing that?).
UPDATE 1:
I don't see any error in your excerpt... to remove f2b-proftpd (or flush input chain) it should contain:
either <iptables> -D INPUT ... -j f2b-proftpd
or even <iptables> -F INPUT somewhere in actions parameters, excepting actionstop (which is intended stop by shutdown or restart case only).
But it is only available in actionstop as expected:
all entries containing removal from INPUT chain (actionstop only):
<iptables> -D INPUT -p tcp -m multiport --dports ssh -j f2b-sshd
<iptables> -D INPUT -p tcp -m multiport --dports 10000 -j f2b-webmin-auth
<iptables> -D INPUT -p tcp -m multiport --dports ftp,ftp-data,ftps,ftps-data -j f2b-proftpd
<iptables> -D INPUT -p tcp -m multiport --dports smtp,465,submission -j f2b-postfix
<iptables> -D INPUT -p tcp -m multiport --dports pop3,pop3s,imap,imaps,submission,465,sieve -j f2b-dovecot
<iptables> -D INPUT -p tcp -m multiport --dports smtp,465,submission,imap,imaps,pop3,pop3s -j f2b-postfix-sasl
<iptables> -D INPUT -p tcp -m multiport --dports ssh,sftp -j f2b-ssh-ddos
Thus we could exclude the blame of fail2ban.
Just you said "now using firewalld" - where? In your config dump I see iptables-multiport only:
['set', 'sshd', 'addaction', 'iptables-multiport']
['set', 'webmin-auth', 'addaction', 'iptables-multiport']
['set', 'proftpd', 'addaction', 'iptables-multiport']
['set', 'postfix', 'addaction', 'iptables-multiport']
['set', 'dovecot', 'addaction', 'iptables-multiport']
['set', 'postfix-sasl', 'addaction', 'iptables-multiport']
['set', 'ssh-ddos', 'addaction', 'iptables-multiport'],
So for example if firewald would rewrite INPUT chain of iptables (removes fail2ban entries), you would catch exactly this issue.
Thus better find out which major netfilter your system use and use it as banaction (or avoid rewriting of fail2ban rules e. g. by adding it to fail2ban dependencies, etc).
What I need to achieve
I need count how many users open correct websites and sub websites
e.g. `http://stackoverflow.com'
'https://stackoverflow.com/questions'
What I have
router set on Centos 7
Iptables
https://github.com/xnsystems/kpcre/wiki/iptables-string-regex
I can't use squid.
this count system can't change IP headers (src and dst IP address)
that is why I need count use iptables with log option
or maybe there is software which will count urls without any packet modification
Problem
I can't find a way in which I will see how many IP adress (how many users) hit correct url
My iptables row looks like this and doesn't work
I mean match all urls (with all sub urls) not only http://stackoverflow.com
sudo iptables -I OUTPUT -p tcp --dport 80 -m string --string "^http://stackoverflow.com$" --algo regex -j ACCEPT
Please help me with this case.
UPDATE:
Below three examples please try make them works
sudo iptables -I OUTPUT -p tcp --dport 80 -m string --string stackoverflow.com --algo regex -j ACCEPT
sudo iptables -I OUTPUT -p tcp --dport 80 -m string --string stackoverflow.com/documentation --algo regex -j ACCEPT
sudo iptables -I OUTPUT -p tcp --dport 80 -m string --string stackoverflow.com/questions'; --algo regex -j ACCEPT
As you see I used --algo regex.
If you know another solution without it please suggest.
I checked the specification link, it is not very complete (e.g. \bseems know, but is not explained), but I think the regex you need is:
^(http:\/\/){0,1}[a-zA-Z0-9_-]+(\.[a-zA-Z0-9_-]+)+(\/[a-zA-Z0-9_-]+){0,}$
UPDATE: Allow http://prefix and /documentation suffix.
Please try.
The use of capture groups () is not specified, but that usually works.
If you give examples which match and should not or do not match and should, I will adapt this answer.
The easiest adaptation is to insert more characters (to be allowed for the URL) between the [a-zA-Z0-9_and the -], in two places.
The line that includes the URL in the packet has not only the URL but also some extra keywords around it.
If you want to block "http://stackoverflow.com" only, then you should specify the URL like this:
iptables -I OUTPUT -p tcp --dport 80 -m string --string "/\/ .+Host: stackoverflow.com/si" --algo regex -j DROP
or if you want to block "http://stackoverflow.com/questions" only, then you should specify the URL like this:
iptables -I OUTPUT -p tcp --dport 80 -m string --string "/\/questions .+Host: stackoverflow.com/si" --algo regex -j DROP
I am a beginner with aerospike with Python client. I have an aerospike [build - 3.9.1.1] installed in a google instance.
How can I connect to the server from another instance?
I tried the following in shell and wouldn't budge:
import aerospike
config = {'hosts': [('xx.mmm.nn.oo', 3000)]}
# the IP from ifconfig | grep "inet addr"
client = aerospike.client(config)
client.connect()
This yields exception as below:
ClientError: (-1L, 'Failed to connect', 'src/main/aerospike/as_cluster.c', 459)
In the remote I tried the following:
This works fine:
asinfo -v "namespaces"
Also this works when I do:
telnet xx.mmm.nn.oo 3003
....
namespaces
...
Going desperate, I have tried setting access-address in the local with the IP of the server [xx.mmm.nn.oo] and that didn't work either!
Please help folks!
Issue apparently resolved by allowing connections by editing the iptables:
/sbin/iptables -A INPUT -p tcp -s XXX.XXX.XXX.XXX -j ACCEPT /sbin/iptables -A OUTPUT -p tcp -d XXX.XXX.XXX.XXX -j ACCEPT –
For some reason my Vagrant/Puppet instance stopped working out of the blue--I am no longer able to reach the VM from my host machine, despite no configuration or network changes.
Interestingly, the private network must be recognized as the browser is attempting to connect, however the request seems to be timing out when issued from OSX... Also worth noting, I have not installed any system updates at this time. The VM was working previously on 10.9.
Steps I have tried to resolve the issue:
vagrant destroy && vagrant up
Result: Vagrant loads properly, SSH works and apache is running with the proper result returned from ping 127.0.0.1
vagrant reload
Result: Same as above; VM reloads successfully, no change in network accessibility
sudo killall -HUP mDNSResponder
Result: No change in accessibility via the bound IP (10.0.0.100)
Port forwarding (explicit) vs "private_network" in vagrant file
Result: No change in accessibility via the bound IP (10.0.2.15)
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
Result: No change in accessibility via the bound IP, connection still times out
Vagrant File: http://pastebin.com/Hk8drWxF
Puppet File: http://pastebin.com/20Sp1m22
Any thoughts? Thanks!
Could this be an issue with netmask ? You specify 2 ips there : 10.0.0.100 and 10.0.2.15 if you're using default subnet (class C) you would end up on different subnets and be unable to speak directly to each other.
I know there are many commands we can use to get the open tcp and udp ports of specific application. For example, supposing we have an application whose name is APP, then we can get its port via: lsof -i | grep 'APP', or, netstat -anp | grep APP.
But can we do this via c/c++ source code on linux? Are there any way to achieve this, such as scan the contents under /proc/app/ or using any system API?
this will give you list of ports being used, and netstat source code from net-tools suite may be of help to you