Comments (4)
deividgdt
commented on August 25, 2024
Hi Hoflz5,
Could you show me your nginx-custom configuration? Anyway, if you see the IP address in the IPTABLE rules but it's not working, is weird.
Looks like some iptables misconfiguration.
Kind regards
from fail2ban_telegram_notifications.
hoflz5
commented on August 25, 2024
I'm using fail2ban v11.
So the thing is that this works if I comment out the Telegram action as per below:
/etc/fail2ban/filter.d/nginx-custom.conf
[Definition]
failregex = ^<HOST> -.*(GET|POST|HEAD).*(/\.git/config)
^<HOST> -.*(GET|POST).*/administrator/index\.php.*500
^<HOST> -.*(GET|POST|HEAD).*(/:8880/)
^<HOST> -.*(GET|POST|HEAD).*(/addons/theme/stv1/_static/image/favicon\.ico)
..... + 100 more rows like this ....
^<HOST> -.*(GET|POST|HEAD).*(/.env)
^<HOST> -.*(GET|POST|HEAD).*(/wp)
ignoreregex =
Jail.local with commented out action to verify that the jail works in a normal case:
/etc/fail2ban/jail.local
[nginx-custom]
enabled = true
port = http,https
filter = nginx-custom
logpath = %(nginx_access_log)s
maxretry = 1
#action = iptables[name=nginx-custom, port=80, protocol=tcp]
# telegram
Trying to exploit any of these, the IP ended up in the jail:
sudo fail2ban-client status nginx-custom
Status for the jail: nginx-custom
|- Filter
| |- Currently failed: 0
| |- Total failed: 2
| `- File list: /var/log/nginx/access.log
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 2.67.28.16
Log shows a ban:
2021-03-28 10:15:51,027 fail2ban.filter [1592]: INFO [nginx-custom] Found 2.67.28.16 - 2021-03-28 10:15:50
2021-03-28 10:15:51,474 fail2ban.actions [1592]: NOTICE [nginx-custom] Ban 2.67.28.16
And also the iptables:
sudo iptables -L -nv
Chain INPUT (policy ACCEPT 871 packets, 1638K bytes)
pkts bytes target prot opt in out source destination
211 22384 f2b-nginx-custom tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 977 packets, 1960K bytes)
pkts bytes target prot opt in out source destination
Chain f2b-nginx-custom (1 references)
pkts bytes target prot opt in out source destination
56 2756 REJECT all -- * * 2.67.28.16 0.0.0.0/0 reject-with icmp-port-unreachable
155 19628 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Ban is now working. I cannot reach the site from this IP.
BUT!
Now I'm going to test with the Telegram action enabled. First remove the IP from the jail and iptables.
sudo fail2ban-client set nginx-custom unbanip 2.67.28.16
sudo iptables -F
Then enable the action in jail.local (telegram indentation is spaces)
[nginx-custom]
enabled = true
port = http,https
filter = nginx-custom
logpath = %(nginx_access_log)s
maxretry = 1
action = iptables[name=nginx-custom, port=80, protocol=tcp]
telegram
Then restart fail2ban:
sudo service fail2ban restart
Now getting notification in Telegram that fail2ban is restarted.
Trying the exploit again -> Get Telegram message that the IP has been banned.
Jail also shows banned:
sudo fail2ban-client status nginx-custom
Status for the jail: nginx-custom
|- Filter
| |- Currently failed: 0
| |- Total failed: 109
| `- File list: /var/log/nginx/access.log
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 2.67.28.16
iptable also shows banned (the only difference I can see is that pkts and bytes is 0 now:
sudo iptables -L -nv
Chain INPUT (policy ACCEPT 1059 packets, 1323K bytes)
pkts bytes target prot opt in out source destination
0 0 f2b-nginx-custom tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1014 packets, 1800K bytes)
pkts bytes target prot opt in out source destination
Chain f2b-nginx-custom (1 references)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 2.67.28.16 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Log now shows more rows for the new ban of this IP:
2021-03-28 10:23:24,714 fail2ban.filter [7999]: INFO [nginx-custom] Found 2.67.28.16 - 2021-03-28 10:23:24
2021-03-28 10:23:24,942 fail2ban.filter [7999]: INFO [nginx-custom] Found 2.67.28.16 - 2021-03-28 10:23:24
2021-03-28 10:23:24,948 fail2ban.filter [7999]: INFO [nginx-custom] Found 2.67.28.16 - 2021-03-28 10:23:24
2021-03-28 10:23:24,953 fail2ban.filter [7999]: INFO [nginx-custom] Found 2.67.28.16 - 2021-03-28 10:23:24
2021-03-28 10:23:24,958 fail2ban.filter [7999]: INFO [nginx-custom] Found 2.67.28.16 - 2021-03-28 10:23:24
2021-03-28 10:23:25,164 fail2ban.filter [7999]: INFO [nginx-custom] Found 2.67.28.16 - 2021-03-28 10:23:24
2021-03-28 10:23:25,170 fail2ban.filter [7999]: INFO [nginx-custom] Found 2.67.28.16 - 2021-03-28 10:23:25
2021-03-28 10:23:25,176 fail2ban.filter [7999]: INFO [nginx-custom] Found 2.67.28.16 - 2021-03-28 10:23:25
2021-03-28 10:23:25,181 fail2ban.filter [7999]: INFO [nginx-custom] Found 2.67.28.16 - 2021-03-28 10:23:25
2021-03-28 10:23:25,187 fail2ban.filter [7999]: INFO [nginx-custom] Found 2.67.28.16 - 2021-03-28 10:23:25
2021-03-28 10:23:25,193 fail2ban.filter [7999]: INFO [nginx-custom] Found 2.67.28.16 - 2021-03-28 10:23:25
2021-03-28 10:23:25,198 fail2ban.filter [7999]: INFO [nginx-custom] Found 2.67.28.16 - 2021-03-28 10:23:25
2021-03-28 10:23:25,204 fail2ban.filter [7999]: INFO [nginx-custom] Found 2.67.28.16 - 2021-03-28 10:23:25
2021-03-28 10:23:25,345 fail2ban.actions [7999]: NOTICE [nginx-custom] Ban 2.67.28.16
2021-03-28 10:23:25,411 fail2ban.filter [7999]: INFO [nginx-custom] Found 2.67.28.16 - 2021-03-28 10:23:25
2021-03-28 10:23:25,417 fail2ban.filter [7999]: INFO [nginx-custom] Found 2.67.28.16 - 2021-03-28 10:23:25
2021-03-28 10:23:25,422 fail2ban.filter [7999]: INFO [nginx-custom] Found 2.67.28.16 - 2021-03-28 10:23:25
2021-03-28 10:23:25,427 fail2ban.filter [7999]: INFO [nginx-custom] Found 2.67.28.16 - 2021-03-28 10:23:25
2021-03-28 10:23:25,433 fail2ban.filter [7999]: INFO [nginx-custom] Found 2.67.28.16 - 2021-03-28 10:23:25
2021-03-28 10:23:25,438 fail2ban.filter [7999]: INFO [nginx-custom] Found 2.67.28.16 - 2021-03-28 10:23:25
....
2021-03-28 10:23:27,756 fail2ban.actions [7999]: NOTICE [nginx-custom] 2.67.28.16 already banned
2021-03-28 10:23:27,756 fail2ban.actions [7999]: NOTICE [nginx-custom] 2.67.28.16 already banned
2021-03-28 10:23:27,756 fail2ban.actions [7999]: NOTICE [nginx-custom] 2.67.28.16 already banned
2021-03-28 10:23:27,756 fail2ban.actions [7999]: NOTICE [nginx-custom] 2.67.28.16 already banned
if I try to access the same url again, the site loads normally. So ban IS NOT working. I also get notification in the fail2ban log that the IP is already banned:
2021-03-28 10:28:57,113 fail2ban.filter [7999]: INFO [nginx-custom] Found 2.67.28.16 - 2021-03-28 10:28:56
2021-03-28 10:28:57,354 fail2ban.actions [7999]: WARNING [nginx-custom] 2.67.28.16 already banned
Also I'm having this warning when starting up the fail2ban service (both with and without Telegram):
2021-03-28 10:34:48,058 fail2ban.configreader [8496]: WARNING 'allowipv6' not defined in 'Definition'. Using default one: 'auto'
from fail2ban_telegram_notifications.
deividgdt
commented on August 25, 2024
Hi Hoflz,
There's another difference between those two IPTABLES output: the port 443. When you enable the action to send telegram messages, just the port 80 is configured:
action = iptables[name=nginx-custom, port=80, protocol=tcp]
but when this action is disabled, and an IP address get banned, the destination ports are: 80 and 443.
Chain INPUT (policy ACCEPT 871 packets, 1638K bytes)
pkts bytes target prot opt in out source destination
211 22384 f2b-nginx-custom tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
So, the most probably is that you need to set port 443 in the action configuration as follow:
action = iptables[name=nginx-custom, port="80,443" protocol=tcp]
Kind regards,
from fail2ban_telegram_notifications.
hoflz5
commented on August 25, 2024
Hmm, that is interesting.
I actually tried with port=all before, but that didn't end well.
when adding 443 now as you mentioned, everything becomes null in the iptable (after first unbanning, then sudo reseting with iptables -F, then restarting the fail2ban service)
Chain f2b-nginx-custom (0 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
from fail2ban_telegram_notifications.
Related Issues (3)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fail2ban_telegram_notifications.