Fail 2 ban seems to block ip but requests still get through

Question

I have a rule for blocking excessive calls to wordpress xml-rpc:

Filter:

failregex = ^<HOST> .*POST .*xmlrpc\.php.*
ignoreregex =

Jail:

enabled  = true
port     = http,https
filter   = php-xmlrpc
logpath  = /var/log/httpd/access_log
maxretry = 6
bantime  = 3600
action   = iptables[name=PHP_XMLRPC, port=http, protocol=tcp]

This seems to be working because I got the following iptables rule during a recent xml-rpc spamming attack:

Chain INPUT (policy ACCEPT)
target               prot opt source               destination         
MANUAL_BANS          all  --  0.0.0.0/0            0.0.0.0/0           
fail2ban-PHP_XMLRPC  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80

Chain MANUAL_BANS (1 references)
target     prot opt source               destination         
DROP       tcp  --  221.194.47.0/24      0.0.0.0/0           
DROP       tcp  --  121.18.238.0/24      0.0.0.0/0           
DROP       tcp  --  221.194.44.0/24      0.0.0.0/0           
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-PHP_XMLRPC (1 references)
target     prot opt source               destination         
REJECT     all  --  191.96.249.54        0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  191.96.249.53        0.0.0.0/0            reject-with icmp-port-unreachable
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

BUT... somehow my apache server continued to see requests:

191.96.249.53 - - [14/Mar/2017:11:51:07 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.53 - - [14/Mar/2017:11:51:04 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.53 - - [14/Mar/2017:11:51:16 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.53 - - [14/Mar/2017:11:51:15 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:13 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:21 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:18 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:26 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:32 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:25 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:25 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:35 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:36 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:42 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:33 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:43 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:43 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:44 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:45 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

The online manual for fail2ban says bantime is in seconds, but the above looks like they actually implemented milliseconds (i.e. 3.6 seconds, not 60 minutes)? Have I missed something? How else could httpd still see requests?

I am using

Name        : fail2ban
Arch        : noarch
Version     : 0.8.10
Release     : 3.6.amzn1

Look at the fail2ban log file, you should see when the IP address gets banned and when the ban is removed. If the requests still appear while it is banned, run `netstat -n |grep "191.96.249.54"`. Is the connection still open? The ban will only prevent new connections, not existing ones. — Gerald Schneider, Mar 14 '17 at 14:01
Oh right I bet that's it. I should possibly configure apache not to keep those connections alive. — Gus, Mar 14 '17 at 15:44

Fail 2 ban seems to block ip but requests still get through

0 Answers0