Resolved fail2ban does not ban on all IPs

[King555]

I activated fail2ban in Plesk 12 and set the SSH jail to ban after 2 retries for 24h on all ports.

This is the generated "/etc/fail2ban/jail.local":

[ssh]
enabled = true
maxretry = 2
action = iptables-allports[name=ssh]

I tested it and I'm only banned on the IP of SSH (I have one only for SSH and the Plesk panel).

I have 10 IPs in total on my server. I can still access all other IPs, i.e. my websites.

Why does fail2ban not block me completely?

 

[IgorG]

Check this KB article - http://kb.odin.com/en/121992

 

[diepnguyen]

I got the same problem. Many thanks IgorG for your link!

 

[King555]

Thanks, but this seems not to be my problem. First I didn't know what "VPS" meant, but I think, it's some kind of vServer or Virtual Machine. If this is correct: I have a dedicated root server and no virtualization enabled.

According to another article ( http://kb.odin.com/en/122012 ) there has to be an error message in the fail2ban.log file. But I don't have an error message in that log.

 

[King555]

Any other ideas?

Can you see the exact command which is executed when I say "iptables-allports[name=ssh]" anywhere? Maybe iptables is executed with a destination parameter.

 

[Brujo]

if you have access to your shell you can see your iptables like "iptables -vnL --line-numbers" there you should see all entrys

 

[King555]

Thanks. Now I found out that the destination says "everywhere". So that's not the reason for my problem.

This is one example for a fail2ban entry in my iptables:

Chain fail2ban-plesk-postfix (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1       24  1436 REJECT     all  --  any    any     host*-*-*-*.in-addr.btopenworld.com  anywhere             reject-with icmp-port-unreachable

Maybe it's not a problem related to Plesk?

 

[Brujo]

Well it seems as a kind of missunderstanding - normaly If you activate for example only the ssh jail - fail2ban blocks the bad IP for the Service ssh - means IPtables block this IP on port 22 nothing else. This IP can still access the other Services like http, ftp and so on.

kind regards
Brujo

 

[King555]

But is it not possible to block that IP from any access? I want to block it from entering any websites, SSH, FTP, mail and even to ping my domains.

I thought I had done this by choosing "iptables-allports" as the block rule in Plesk.

But I found out something else: all IPs are blocked (on all ports), but not the hostnames. I can access all websites via the domain name, but not via the IPs (which is possible before banning). Only ping is also possible via IP.

 

[danami]

Juggernaut Firewall

But is it not possible to block that IP from any access? I want to block it from entering any websites, SSH, FTP, mail and even to ping my domains.

Take a look at our firewall product for Plesk:
http://www.danami.com/products/plesk-addons/juggernaut-security-and-firewall

We support blocking IP addresses by service or completely like you are asking. If you have any questions just PM me.

 

[Tsi-Shawn]

It does not work that way. Fail2ban bans on the service that is being attacked and that you have a jail for. You can always check your logs and put those IP's in your iptables. Write a script that scrapes the fail2ban logs and slaps them in your iptables then restarts them. This is how I do it. I let fail2ban ban the IP for the jailed service and then I enter IP's into iptables and then it is dropped for good on all services. Here is an example of part of my script:

/sbin/iptables -t filter -A INPUT -s 174.92.0.0/16 -j DROP

 

[King555]

But have a look at the iptables entry in post #7. There's no information about a specific port being blocked. For me it looks like a complete blocking (although it does not work 100%).

 

[King555]

Problem solved — and it was my own stupidity.

Blocking via IPv4 worked fine all the time. But when I accessed my websites via the domain name, IPv6 was used and of course I was not blocked via IPv6.

Thanks to all who were trying to help!

 

[Tsi-Shawn]

I didn't even think of IPv6! I always shut that off. Glad you get it figured out.