2

I'm using fail2ban 0.9.3 on Ubuntu 16.04. My jail.local looks like this:

[DEFAULT]

banaction = ufw

[apache-post]
enabled = true
filter = apache-post
port = http,https
logpath  = /var/log/apache2/other_vhosts_access.log
maxretry = 20
bantime = 3600

I'm running fail2ban 0.9.3 on ubuntu 16.04.

I have a custom ufw action defined as follows:

[Definition]
actionstart =
actionstop =
actioncheck =
actionban = ufw insert 1 deny from <ip>
actionunban = ufw delete deny from <ip>

(This is different from the one that comes with fail2ban in that is just blocks the IP on all ports).

The action works - if I do fail2ban-client set apache-post banip 10.0.0.1 and then check ufw status, the IP is banned:

To                         Action      From
--                         ------      ----
Anywhere                   DENY        10.0.0.1

But when the server is then restarted and running, there is a problem. fail2ban is correctly monitoring the logs and initiating bans, but the IPs are not being banned in ufw. Here is a log sample:

2018-10-09 14:00:57,679 fail2ban.actions        [31576]: NOTICE  [apache-post] Ban 10.0.5.2
2018-10-09 14:01:02,897 fail2ban.actions        [31576]: NOTICE  [apache-post] 10.0.5.2 already banned
2018-10-09 14:01:07,903 fail2ban.actions        [31576]: NOTICE  [apache-post] 10.0.5.2 already banned
2018-10-09 14:01:12,908 fail2ban.actions        [31576]: NOTICE  [apache-post] 10.0.5.2 already banned
2018-10-09 14:01:17,914 fail2ban.actions        [31576]: NOTICE  [apache-post] 10.0.5.2 already banned

If I check ufw status then the IP has not been banned - so clearly the action hasn't actually been executed, but fail2ban thinks it has.

If I restart the fail2ban server at this point, then it will check the recent logs and successfully ban the IP - i.e., when it performs actions on restart, the ufw action is correctly executed. Similarly if I manually run a banip command then the IP is correctly banned. But the bans from monitoring of logs don't work.

I'm stumped as to why it works manually, but not in normal operation. How do I debug this?

UFW is running:

> sudo ufw status
Status: active

And checking the status of the jail shows that it is active, and it thinks it has banned the IPs:

Status for the jail: apache-post
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     643
|  `- File list:        /var/log/apache2/other_vhosts_access.log
`- Actions
   |- Currently banned: 9
   |- Total banned:     11
   `- Banned IP list:   10.0.5.2 (and more)
solarissmoke
  • 71
  • 7
  • [blocking 404](https://serverfault.com/questions/918151/how-to-block-ips-that-cause-excessive-404-errors-with-fail2ban/931039#931039), what a waste of CPU. – danblack Oct 10 '18 at 05:43
  • Actually I am blocking forbidden POST requests, not 404s. The name of the filter is misleading (also not very important as far as the issue itself goes). – solarissmoke Oct 10 '18 at 06:04

1 Answers1

0

Have you confirmed that ufw is in fact running? E.g. on my Ubuntu installations, that requires setting 'enabled=YES' in /etc/ufw/ufw.conf in order to get ufw to start at boot. On Ubuntu 16.04 it's off by default.

I gather you're saying that you replaced the default /etc/fail2ban/action.d/ufw.conf? Why? Does your recipe work with the original version?

What does fail2ban status <JAIL> show you?

mc0e
  • 5,866
  • 18
  • 31
  • Yes, UFW is running. I've edited the question to show the output of `ufw status` and also the jail status. I've replaced the default `ufw` conf with a much simpler one that doesn't block specific ports - it just bans that IP for all ports. It doesn't make a difference if I use the original configuration though - I still get the same behaviour. – solarissmoke Nov 03 '18 at 08:33